ZeroPath at Black Hat USA 2026

React Router CVE-2026-42342: Quick Look at the __manifest Endpoint Denial of Service Vulnerability

A brief summary of CVE-2026-42342, a high severity denial of service vulnerability in React Router's __manifest endpoint that allows unauthenticated attackers to exhaust server resources via unbounded path expansion in Framework Mode and Remix applications.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-02

React Router CVE-2026-42342: Quick Look at the __manifest Endpoint Denial of Service Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A crafted HTTP request to a single internal endpoint can pin a React Router server's CPU and render the entire application unresponsive for legitimate users. CVE-2026-42342, disclosed on June 2, 2026, exposes a denial of service condition in the __manifest endpoint used by React Router Framework Mode and Remix v2 applications, carrying a CVSS 7.5 (High) rating with no authentication required for exploitation.

With React Router downloaded over 13.2 million times per week on npm, the potential blast radius is significant, though the actual exposure is scoped to applications specifically running Framework Mode or Remix with server side rendering. Client side only routing configurations are entirely unaffected.

Technical Information

The __manifest Endpoint

The __manifest endpoint is an internal route that React Router exposes in Framework Mode. Its purpose is to serve manifest data that the client needs for route discovery and asset loading. When a client navigates to a route, React Router computes a manifest URL by taking the normalized basename and appending /__manifest. This endpoint is a core part of the Framework Mode routing architecture and does not exist in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Root Cause: Unbounded Path Expansion

The vulnerability falls under CWE-400 (Uncontrolled Resource Consumption). The root cause is that the __manifest endpoint's path processing logic does not impose bounds on how paths are expanded during route matching or manifest generation. When a specially crafted request is sent to this endpoint, the server enters an unbounded path expansion operation that consumes disproportionate CPU and/or memory resources relative to the size of the incoming request.

This is algorithmic resource exhaustion, not memory corruption. The distinction matters: algorithmic DoS is deterministic and reliable. An attacker does not need to win a race condition or guess memory layouts. The crafted input reliably produces the resource exhaustion outcome every time.

CVSS Breakdown

The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which tells us:

ComponentValueImplication
Attack VectorNetwork (AV:N)Exploitable remotely over HTTP
Attack ComplexityLow (AC:L)No special conditions or timing required
Privileges RequiredNone (PR:N)No authentication needed
User InteractionNone (UI:N)No victim action required
ScopeUnchanged (S:U)Impact confined to the vulnerable component
ConfidentialityNone (C:N)No information disclosure
IntegrityNone (I:N)No data modification
AvailabilityHigh (A:H)Complete service unavailability possible

The impact profile (C:N/I:N/A:H) confirms this is a pure availability attack. No data is leaked or corrupted. The vulnerability exclusively degrades or eliminates service availability.

Attack Flow

Based on the advisory and CVSS characteristics, the exploitation flow is straightforward:

  1. Reconnaissance: The attacker identifies a target application running React Router Framework Mode or Remix v2. The presence of the /__manifest endpoint can be confirmed with a simple HTTP request.

  2. Crafted Request: The attacker sends one or more specially crafted HTTP requests to the /__manifest endpoint. These requests contain path structures designed to trigger the unbounded expansion behavior in the server side route matching or manifest generation logic.

  3. Resource Exhaustion: The server processes the crafted path(s) without any imposed limit on expansion. This consumes disproportionate CPU and/or memory resources on the server.

  4. Service Degradation: As server resources are consumed by processing the malicious request(s), legitimate user requests experience increased response times. With sufficient attack volume (or a sufficiently expensive single request), the server becomes completely unavailable.

The attack requires no authentication, no user interaction, and can be launched from any network location. The nature of HTTP based DoS makes this easily automatable with standard tooling.

Scope Limitation

An important nuance: only Framework Mode applications are vulnerable. The __manifest endpoint is a Framework Mode feature and does not exist in the other two React Router modes:

  • Declarative Mode (<BrowserRouter>): Not affected
  • Data Mode (createBrowserRouter/<RouterProvider>): Not affected
  • Framework Mode: Affected

This means the majority of React Router installations, which use client side only routing, have zero exposure to this CVE.

Affected Systems and Versions

Two packages are affected across specific version ranges:

PackageAffected VersionsFixed Version
react-router7.0.0 through 7.14.x7.15.0
@remix-run/server-runtime2.10.0 through 2.17.42.17.5

The affected range for react-router spans the entire React Router 7.x Framework Mode lineage from its introduction. For @remix-run/server-runtime, the affected range covers versions 2.10.0 through 2.17.4.

Only applications using React Router Framework Mode or Remix v2 with server side rendering are vulnerable. Applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) are explicitly not impacted.

Vendor Security History

The React Router project, maintained by Remix Run (acquired by Shopify in late 2022), has experienced a notable increase in security disclosures. A January 2026 Netlify article documented six separate CVEs affecting React Router and Remix in a single batch, spanning multiple vulnerability classes:

AdvisoryVulnerability TypeSeverity
GHSA-2w69-qvjg-hvjxXSS via Open RedirectsModerate
GHSA-3cgp-3xvw-98x8XSS via Meta component (script:ld+json)Moderate
CVE-2026-22030CSRF on document POST requestsModerate
CVE-2025-61686Path TraversalHigh

Snyk's vulnerability database confirms multiple entries for react-router v7.x and @remix-run/server-runtime, with issues ranging from XSS to CSRF to the current DoS vulnerability. The project maintains a formal security policy and uses GitHub Security Advisories for coordinated disclosure.

The same day patching response for CVE-2026-42342 (react-router 7.15.0 and @remix-run/server-runtime 2.17.5 released on the disclosure date) is a positive signal. However, the recurring pattern of vulnerabilities across the Framework Mode architecture suggests that the server side rendering components could benefit from a more systematic security review rather than continued reactive patching.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization