What is GHSA-49rj-9fvp-4h2h?

GHSA-49rj-9fvp-4h2h is a security advisory published by GitHub Security Advisories with High severity. React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

Which CVE IDs does GHSA-49rj-9fvp-4h2h cover?

GHSA-49rj-9fvp-4h2h covers the following CVE IDs: CVE-2026-42211. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-49rj-9fvp-4h2h?

GHSA-49rj-9fvp-4h2h has a CVSS v3 base score of 8.1, published by GitHub Security Advisories.

Which products are affected by GHSA-49rj-9fvp-4h2h?

GHSA-49rj-9fvp-4h2h affects 1 product, including: npm/react-router:\u003e= 7.0.0, \u003c= 7.14.1.

GHSA-49rj-9fvp-4h2hHighCVSS 8.1

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

Vendor

GitHub Security Advisories

Published

June 3, 2026

Last Modified

June 3, 2026

🔗 CVE IDs covered (1)

CVE-2026-42211 →

📋 Description

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in which the second step can trigger unauthorized RCE on the remote server.

[!NOTE] This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

🎯 Affected products1

npm/react-router:>= 7.0.0, <= 7.14.1

🔗 References (3)

https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h
https://nvd.nist.gov/vuln/detail/CVE-2026-42211
https://github.com/advisories/GHSA-49rj-9fvp-4h2h