What is GHSA-rxv8-25v2-qmq8?

GHSA-rxv8-25v2-qmq8 is a security advisory published by GitHub Security Advisories with High severity. React Router vulnerable to Denial of Service via reflected user input in single-fetch

Which CVE IDs does GHSA-rxv8-25v2-qmq8 cover?

GHSA-rxv8-25v2-qmq8 covers the following CVE IDs: CVE-2026-34077. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-rxv8-25v2-qmq8?

GHSA-rxv8-25v2-qmq8 has a CVSS v3 base score of 7.5, published by GitHub Security Advisories.

Which products are affected by GHSA-rxv8-25v2-qmq8?

GHSA-rxv8-25v2-qmq8 affects 2 products, including: npm/react-router:\u003e= 7.0.0, \u003c 7.14.0; npm/turbo-stream:\u003c 3.0.0.

GHSA-rxv8-25v2-qmq8HighCVSS 7.5

React Router vulnerable to Denial of Service via reflected user input in single-fetch

Vendor

GitHub Security Advisories

Published

June 4, 2026

Last Modified

June 4, 2026

🔗 CVE IDs covered (1)

CVE-2026-34077 →

📋 Description

A DoS vulnerability exists in the React Router v7 Framework Mode, as well as Remix v2.9.0+ with Single Fetch enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0 or later.

[!NOTE] This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

🎯 Affected products2

npm/react-router:>= 7.0.0, < 7.14.0
npm/turbo-stream:< 3.0.0

🔗 References (6)

https://github.com/remix-run/react-router/security/advisories/GHSA-rxv8-25v2-qmq8
https://nvd.nist.gov/vuln/detail/CVE-2026-34077
https://github.com/remix-run/react-router/commit/59811921d3c7d599077b8cadccdcd65a233165e0
https://github.com/jacob-ebey/turbo-stream/blob/v2.4.1/src/flatten.ts#L175-L177
https://github.com/jacob-ebey/turbo-stream/blob/v2.4.1/src/unflatten.ts#L185-L189
https://github.com/advisories/GHSA-rxv8-25v2-qmq8