Bug 2484124 (CVE-2026-33245) - CVE-2026-33245 react-router: React Router: Cross-Site Scripting vulnerability via untrusted React Server Component redirects
Summary: CVE-2026-33245 react-router: React Router: Cross-Site Scripting vulnerability...
Keywords:
Status: NEW
Alias: CVE-2026-33245
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-02 20:02 UTC by OSIDB Bzimport
Modified: 2026-06-24 08:59 UTC (History)
179 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-02 20:02:57 UTC
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.

Comment 2 David Hanina 2026-06-03 06:50:14 UTC
As FreeIPA goes, we can safely waive this one, as we do not use server-side rendering and it's server components.


Note You need to log in before you can comment on or make changes to this bug.