CVE-2025-59057 is a cross-site scripting (XSS) vulnerability categorized under CWE-79, found in the React Router library, a widely used routing solution for React applications. The vulnerability specifically affects the meta() and <Meta> APIs when used in Framework Mode, which generate script:ld+json tags during server-side rendering (SSR). These tags are intended to embed structured data in JSON-LD format for SEO and other purposes. However, if untrusted or improperly sanitized input is used to generate these tags, it can lead to improper neutralization of input, allowing an attacker to inject arbitrary JavaScript code. This code executes in the context of the victim's browser, potentially leading to data theft, session hijacking, or other malicious actions. The vulnerability does not affect applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>), which handle routing differently and do not generate the vulnerable script tags in the same manner. The affected versions are @remix-run/react from 1.15.0 up to 2.17.0 and react-router from 7.0.0 up to 7.8.2. The issue was publicly disclosed with a CVSS v3.1 score of 7.6, indicating high severity, with an attack vector of network, low attack complexity, requiring privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), with high impact on confidentiality, low on integrity, and no impact on availability. No known exploits have been reported in the wild as of the publication date. The vulnerability has been patched in @remix-run/react 2.17.1 and react-router 7.9.0, and users are strongly advised to upgrade to these versions or later to mitigate the risk.

For European organizations, this vulnerability poses a significant risk especially for those deploying React applications that use the affected versions of React Router in Framework Mode. Successful exploitation could lead to arbitrary JavaScript execution in users' browsers, resulting in theft of sensitive data such as authentication tokens, personal information, or corporate secrets. This could also facilitate further attacks like session hijacking or phishing. The impact on confidentiality is high, while integrity is moderately affected due to potential manipulation of client-side data. Availability is not impacted. Given the widespread adoption of React in European enterprises, including sectors such as finance, healthcare, and e-commerce, the risk is considerable. Organizations handling sensitive or regulated data under GDPR must be particularly vigilant, as exploitation could lead to data breaches and regulatory penalties. The requirement for low privileges and user interaction lowers the barrier for attackers, increasing the threat level. Although no exploits are currently known in the wild, the public disclosure and availability of patches necessitate prompt action to prevent potential attacks.

European organizations should immediately assess their use of React Router and @remix-run/react libraries to identify if they are running affected versions (1.15.0 to <2.17.1 for @remix-run/react and 7.0.0 to <7.9.0 for react-router). The primary mitigation is to upgrade to the patched versions 2.17.1 or later for @remix-run/react and 7.9.0 or later for react-router. Additionally, organizations should audit their use of the meta() and <Meta> APIs in Framework Mode to ensure that no untrusted or user-supplied input is used to generate script:ld+json tags. Implement strict input validation and sanitization on any data that could be embedded in these tags. Employ Content Security Policy (CSP) headers to restrict script execution sources, which can mitigate the impact of XSS attacks. Conduct thorough security testing, including automated scanning and manual code reviews focused on SSR and meta tag generation. Educate developers about the risks of improper input handling in SSR contexts. Finally, monitor application logs and user reports for signs of suspicious activity that could indicate exploitation attempts.