CVE-2026-42211: React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_…

8.1CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-42211
Vendor	npm
Affected Product	react-router
Vulnerability Type	Vulnerability
CVSS Score	8.1 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

When using React Router v7 in [Framework Mode](https://reactrouter.com/start/modes#framework), there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in which the second step can trigger unauthorized RCE on the remote server. > [!NOTE] > This does not impact your React Router application if you are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) ( ) or [Data Mode](https://reactrouter.com/start/modes#data) (createBrowserRouter/ ).

🎯 Known Indicators of Compromise

{"type":"url","value":"https://reactrouter.com/start/modes#framework),","confidence_score":0.82,"first_seen":"2026-06-03","source_count":1} {"type":"url","value":"https://reactrouter.com/start/modes#declarative)","confidence_score":0.82,"first_seen":"2026-06-03","source_count":1} {"type":"url","value":"https://reactrouter.com/start/modes#data)","confidence_score":0.82,"first_seen":"2026-06-03","source_count":1} {"type":"domain","value":"reactrouter.com","confidence_score":0.75,"first_seen":"2026-06-03","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-42211 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →