CVE-2026-34077

Description

A DoS vulnerability exists in the React Router v7 [Framework Mode](https://reactrouter.com/start/modes#framework), as well as Remix v2.9.0+ with [Single Fetch](https://v2.remix.run/docs/guides/single-fetch) enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0 or later. > [!NOTE] > This does not impact your React Router application if you are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`).

How to fix CVE-2026-34077

To remediate CVE-2026-34077, upgrade the affected package to a fixed version below.

• —upgrade to 7.14.0 or later
• —upgrade to 3.0.0 or later

Is CVE-2026-34077 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-34077.

Affected packages (2)

• >= 7.0.0, < 7.14.0
• from 0, < 3.0.0

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-34077
• PATCHgithub.com/remix-run/react-router
• WEBgithub.com/jacob-ebey/turbo-stream/blob/v2.4.1/src/flatten.ts#L175-L177
• WEBgithub.com/jacob-ebey/turbo-stream/blob/v2.4.1/src/unflatten.ts#L185-L189