{"vulnerability": "cve-2026-34077", "sightings": [{"uuid": "a40a7b85-b4f7-46f8-afb0-1095182a199a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-34077", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mndp5yc5eh2p", "content": "\ud83d\udfe0 CVE-2026-34077 - High (7.5)\n\nReact Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's u...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-34077/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-02T23:00:45.239680Z"}, {"uuid": "25f2a422-19c9-4502-a697-1ec33fbed7ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-34077", "type": "seen", "source": "https://gist.github.com/alon710/3d94838c8c562b52d8cc99e4e0d339c7", "content": "# CVE-2026-34077: CVE-2026-34077: Denial of Service and Unsafe Deserialization in React Router Single Fetch\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-04\n> **Full Report:** https://cvereports.com/reports/CVE-2026-34077\n\n## Summary\nReact Router and the underlying turbo-stream vendor library contain a vulnerability allowing remote unauthenticated attackers to trigger a Denial of Service (DoS) or potentially client-side Cross-Site Scripting (XSS) due to unsafe dynamic deserialization of streaming error payloads.\n\n## TL;DR\nA dynamic object instantiation flaw in turbo-stream allows unauthenticated remote attackers to crash React Router or Remix applications via crafted payloads that instantiate non-constructor objects or cause out-of-memory errors.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network\n- **CVSS Score**: 7.5\n- **EPSS Score**: 0.0004 (12.33 percentile)\n- **Impact**: Denial of Service (DoS) / Process Crash\n- **Exploit Status**: Proof-of-Concept / Theoretical\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- react-router\n- turbo-stream\n- Remix\n- **react-router**: >= 7.0.0, < 7.14.0 (Fixed in: `7.14.0`)\n- **react-router (RSC context)**: >= 7.7.0, < 7.13.2 (Fixed in: `7.13.2`)\n- **turbo-stream**: < 3.0.0 (Fixed in: `3.0.0`)\n\n## Mitigation\n\n- Upgrade react-router to version 7.14.0 or above\n- Ensure nested dependency turbo-stream is resolved to 3.0.0 or above\n- Employ rate limiting on single-fetch and RSC streaming routes\n- Filter incoming HTTP streams for suspicious or unverified error names\n\n**Remediation Steps:**\n1. Open your application's package.json file\n2. Update the 'react-router' dependency to '^7.14.0' or the respective patched version\n3. Execute your package manager's update command (e.g., 'npm update react-router' or 'yarn upgrade react-router')\n4. Verify the resolution of 'turbo-stream' to version '^3.0.0' or higher within your package lockfile\n5. Deploy the updated application to staging, validating that streaming endpoints resolve correctly without exceptions\n6. Roll out the patched build to production environments\n\n## References\n\n- [GHSA-rxv8-25v2-qmq8](https://github.com/remix-run/react-router/security/advisories/GHSA-rxv8-25v2-qmq8)\n- [NVD - CVE-2026-34077](https://nvd.nist.gov/vuln/detail/CVE-2026-34077)\n- [Vulnerable Source Code - Flatten](https://github.com/jacob-ebey/turbo-stream/blob/v2.4.1/src/flatten.ts#L175-L177)\n- [Vulnerable Source Code - Unflatten](https://github.com/jacob-ebey/turbo-stream/blob/v2.4.1/src/unflatten.ts#L185-L189)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-34077) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T15:40:51.000000Z"}]}