-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe analysis began by examining the provided vulnerability information, which pointed to an XSS flaw in React Router's meta()/<Meta> APIs during Server-Side Rendering (SSR). The affected versions for the react-router package were specified as >= 7.0.0, <= 7.8.2, with the patch being in version 7.9.0.
To pinpoint the exact code change, I compared the git tags for the last vulnerable version (react-router@7.8.2) and the first patched version (react-router@7.9.0). This comparison revealed a set of commits, among which one had a very descriptive message: Escape JSON LD content in <Meta />. This commit, 0e774855797fcb3c7538c269158f4541beb55a1b, was the clear security patch.
Analyzing the diff of this commit showed a critical change in the file packages/react-router/lib/dom/ssr/components.tsx. Inside the Meta function component, the rendering logic for script:ld+json tags was modified. The vulnerable code passed a raw JSON string directly to dangerouslySetInnerHTML. The patch corrected this by wrapping the JSON string with an escapeHtml function.
This confirms that the Meta function was the source of the vulnerability. It was improperly trusting the content of the JSON string, allowing for the injection of arbitrary HTML and script tags, leading to XSS when exploited with untrusted data during SSR.
Metapackages/react-router/lib/dom/ssr/components.tsx
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| react-router | npm | >= 7.0.0, <= 7.8.2 | 7.9.0 |
| @remix-run/react | npm | >= 1.15.0, <= 2.17.0 | 2.17.1 |
A Semantic Attack on Google Gemini - Read the Latest Research