React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain cr…

React Router versions 7.0.0 through 7.14.x and @remix-run/server-runtime versions 2.10.0 through 2.17.4 contain a vulnerability that allows crafted requests to consume disproportionate server resources via unbounded path expansion in the __manifest endpoint. This results in response time degradation and potential service unavailability for end users. The vulnerability affects React Router Framework Mode applications and Remix applications but does not impact Declarative Mode or Data Mode applications. Patches are available in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.