React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exist…

A Cross-Site Scripting (XSS) vulnerability exists in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags. The vulnerability affects @remix-run/react versions 1.15.0 through 2.17.0 and react-router versions 7.0.0 through 7.8.2. It allows arbitrary JavaScript execution during Server-Side Rendering (SSR) if untrusted content is used to generate the tag. The issue only impacts applications using Framework Mode, not Declarative Mode or Data Mode. Patches are available in @remix-run/react version 2.17.1 and react-router version 7.9.0.