📄 Description (English)
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
🤖 AI Executive Summary
React Router versions 7.7.0-7.13.1 contain a client-side XSS vulnerability in unstable React Server Components (RSC) redirect handling when processing untrusted redirect sources. This affects only applications explicitly using RSC APIs. With CVSS 8.0, this poses significant risk to Saudi web applications and digital services relying on React Router for frontend routing, particularly those handling sensitive user data or financial transactions.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 5, 2026 00:32
🇸🇦 Saudi Arabia Impact Assessment
High impact on Saudi digital ecosystem: Banking sector (SAMA-regulated fintech platforms, digital banking interfaces), Government services (NITC-managed portals, e-government platforms), Healthcare (MOH digital services, telemedicine platforms), E-commerce (major Saudi retailers using React-based frontends), and Telecom sector (STC, Mobily customer portals). Organizations using React Router with RSC APIs for handling user authentication redirects, payment flows, or sensitive data transfers face elevated XSS exploitation risk. Potential for credential theft, session hijacking, and unauthorized access to customer accounts.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
E-commerce and Retail
Telecommunications
Energy and Utilities
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all React Router implementations to identify if unstable RSC APIs are in use (check for use of createServerFn, serverAction, or similar RSC patterns)
2. If RSC APIs are NOT used, no action required; vulnerability does not apply
3. If RSC APIs ARE used, immediately implement input validation and sanitization for all redirect sources
PATCHING GUIDANCE:
1. Upgrade React Router to version 7.13.2 or later when available (currently patch is pending)
2. Until patch release, apply these compensating controls:
- Implement strict Content Security Policy (CSP) headers: default-src 'self'; script-src 'self'; object-src 'none'
- Validate all redirect URLs against whitelist of allowed domains before processing
- Use URL.parse() and verify hostname matches expected values
- Encode all user-controlled data in redirect parameters using encodeURIComponent()
DETECTION RULES:
1. Monitor for unusual redirect patterns in application logs
2. Alert on redirect URLs containing script tags or javascript: protocol
3. WAF rules: Block requests with encoded script payloads in redirect parameters
4. Browser console monitoring for XSS execution attempts
5. CSP violation reports indicating inline script execution
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تطبيقات React Router لتحديد ما إذا كانت واجهات برمجة تطبيقات RSC غير المستقرة قيد الاستخدام
2. إذا لم تكن واجهات برمجة تطبيقات RSC قيد الاستخدام، فلا إجراء مطلوب
3. إذا كانت واجهات برمجة تطبيقات RSC قيد الاستخدام، قم فوراً بتطبيق التحقق من صحة المدخلات والتطهير لجميع مصادر إعادة التوجيه
إرشادات التصحيح:
1. ترقية React Router إلى الإصدار 7.13.2 أو أحدث عند توفره
2. حتى إصدار التصحيح، طبق هذه الضوابط البديلة:
- تطبيق رؤوس سياسة أمان المحتوى الصارمة
- التحقق من صحة جميع عناوين URL لإعادة التوجيه مقابل قائمة بيضاء
- ترميز جميع البيانات التي يتحكم فيها المستخدم في معاملات إعادة التوجيه
قواعد الكشف:
1. مراقبة أنماط إعادة التوجيه غير العادية في سجلات التطبيق
2. تنبيهات على عناوين URL تحتوي على علامات البرنامج النصي
3. قواعد جدار الحماية: حظر الطلبات التي تحتوي على حمولات برنامج نصي مشفرة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Secure development and change management
ECC 2024 A.14.2.5 - Secure coding practices and vulnerability management
ECC 2024 A.14.3.1 - Testing of security functionality
🔵 SAMA CSF
SAMA CSF 3.1 - Application Security and Code Review
SAMA CSF 3.2 - Vulnerability Management and Patch Management
SAMA CSF 4.1 - Web Application Security Controls
🟡 ISO 27001:2022
ISO 27001:2022 A.8.1 - Cryptography and secure coding
ISO 27001:2022 A.8.2 - Secure development and change management
ISO 27001:2022 A.8.3 - Separation of development, test and production environments
🟣 PCI DSS v4.0.1
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 6.5.7 - Cross-site scripting (XSS) prevention
PCI DSS 6.2 - Security patches and updates
📦 Affected Products / CPE 1 entries
shopify:react-router