8.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-21884

CVE-2026-21884: React Router SSR XSS in ScrollRestoration

React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-21884

CVE-2026-21884:

8.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
react-router	npm	>= 7.0.0, < 7.12.0	7.12.0
@remix-run/react	npm	< 2.17.3	2.17.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Cross-Site Scripting (XSS) issue in React Router's <ScrollRestoration> component when Server-Side Rendering (SSR) is enabled. The core of the issue lies in the improper sanitization of user-provided keys (getKey/storageKey) which are used to generate JavaScript code that is then embedded in the server-rendered HTML.

The analysis of the patch commit c89c32c562a7723c45ee71dab1c892acaf7a608d pinpoints the vulnerable code sections.

In packages/react-router/lib/dom/lib.tsx, the ScrollRestoration component was found to be directly embedding the storageKey and ssrKey into a <script> tag via dangerouslySetInnerHTML without adequate escaping. This allows an attacker to craft a malicious key containing arbitrary JavaScript, leading to its execution on the rendered page. The fix involves wrapping the keys with an escapeHtml function before they are embedded.
In packages/react-router/lib/dom/server.tsx, the StaticRouterProvider component, which is integral to the SSR process, was identified to be using a custom and flawed htmlEscape function for sanitizing hydration data. This function was removed and substituted with the more robust escapeHtml function, the same one used to secure the ScrollRestoration component. This change indicates that the prior escaping mechanism was insufficient and a contributing factor to the vulnerability.

Consequently, during the exploitation of this vulnerability, a runtime profile would likely feature calls to ScrollRestoration, as it is the component that handles the malicious input and generates the vulnerable script. The StaticRouterProvider would also appear in the call stack, as it orchestrates the server-side rendering process where the vulnerability manifests.

Vulnerable functions

ScrollRestoration

packages/react-router/lib/dom/lib.tsx

The `ScrollRestoration` component was vulnerable to XSS because it used the `storageKey` and `ssrKey` props to generate a JavaScript snippet that was injected directly into the rendered HTML without proper escaping. An attacker could provide a malicious key, which would then be executed.

StaticRouterProvider

packages/react-router/lib/dom/server.tsx

The `StaticRouterProvider` component, used for server-side rendering, was using a flawed `htmlEscape` function to sanitize data before it was embedded in a script for client-side hydration. This insufficient escaping contributed to the XSS vulnerability. The patch replaced this with a more secure `escapeHtml` function.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-21884: React Router SSR XSS in ScrollRestoration

CVE-2026-21884:

8.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

8.2

8.2

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2026-21884: React Router SSR XSS in ScrollRestoration

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI