Skip to content

OCPBUGS-94037: bump react-router to ~7.15.0 for CVE-2026-42342#16735

Open
Cragsmann wants to merge 2 commits into
openshift:mainfrom
Cragsmann:OCPBUGS-94037-cve-2026-42342
Open

OCPBUGS-94037: bump react-router to ~7.15.0 for CVE-2026-42342#16735
Cragsmann wants to merge 2 commits into
openshift:mainfrom
Cragsmann:OCPBUGS-94037-cve-2026-42342

Conversation

@Cragsmann

@Cragsmann Cragsmann commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumps react-router from ~7.13.1 to ~7.15.0
  • Fixes CVE-2026-42342: Denial of Service via unbounded path expansion in __manifest endpoint
  • CVSS 7.5 (High)

Details

In React Router Framework Mode (versions 7.0.0 through 7.14.x), crafted requests to the __manifest endpoint can consume disproportionate server resources via unbounded path expansion, causing response time degradation and service unavailability.

Patched in react-router 7.15.0.

Test plan

  • yarn install succeeds
  • CI build succeeds
  • Verify console loads and navigates correctly

Fixes: https://issues.redhat.com/browse/OCPBUGS-94037

Summary by CodeRabbit

  • Chores
    • Updated the app’s routing package to a newer version in both the frontend and demo setup.

Fixes denial of service via unbounded path expansion in the
__manifest endpoint (CVSS 7.5).

Upgrades react-router from ~7.13.1 to ~7.15.0.
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jul 8, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@Cragsmann: This pull request references Jira Issue OCPBUGS-94037, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

  • Bumps react-router from ~7.13.1 to ~7.15.0
  • Fixes CVE-2026-42342: Denial of Service via unbounded path expansion in __manifest endpoint
  • CVSS 7.5 (High)

Details

In React Router Framework Mode (versions 7.0.0 through 7.14.x), crafted requests to the __manifest endpoint can consume disproportionate server resources via unbounded path expansion, causing response time degradation and service unavailability.

Patched in react-router 7.15.0.

Test plan

  • yarn install succeeds
  • CI build succeeds
  • Verify console loads and navigates correctly

Fixes: https://issues.redhat.com/browse/OCPBUGS-94037

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fe8fe28e-6c03-43b4-b542-1c2fbca56437

📥 Commits

Reviewing files that changed from the base of the PR and between fd6a21a and dde04eb.

⛔ Files ignored due to path filters (1)
  • frontend/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (2)
  • dynamic-demo-plugin/package.json
  • frontend/package.json

Walkthrough

This PR updates the react-router dependency version constraint from ~7.13.1 to ~7.15.0 in both frontend/package.json and dynamic-demo-plugin/package.json.

Changes

Dependency Version Update

Layer / File(s) Summary
Bump react-router version
frontend/package.json, dynamic-demo-plugin/package.json
Updates the react-router version constraint from ~7.13.1 to ~7.15.0 in dependencies and devDependencies respectively.

Estimated code review effort: 1 (Trivial) | ~2 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Title check ✅ Passed The title is specific, concise, and accurately states the main change and issue ID.
Description check ✅ Passed The description covers the summary, root cause, fix details, and test plan, but omits several template sections.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only bumps dependency versions in package.json/yarn.lock; no Ginkgo test files or titles were added or changed.
Test Structure And Quality ✅ Passed PR only changes a package.json dependency; no Ginkgo test code was added or modified, so the test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed PR only changes package.json/yarn.lock dependency bumps; no new Ginkgo e2e tests or MicroShift-unsafe OpenShift API usage were added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Diff only bumps react-router in package.json; no new Ginkgo e2e tests or SNO-specific assumptions were added.
Topology-Aware Scheduling Compatibility ✅ Passed Only package.json and yarn.lock dependency bumps changed; no deployment manifests, operators, controllers, or scheduling constraints were modified.
Ote Binary Stdout Contract ✅ Passed PR only bumps react-router in package.json/yarn.lock; no process-level code or stdout writes were changed, so the OTE stdout contract isn't impacted.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed HEAD changes only dynamic-demo-plugin/package.json; no Ginkgo tests or network-relevant code were added or modified.
No-Weak-Crypto ✅ Passed PR only bumps react-router in dynamic-demo-plugin/package.json; no weak-crypto, custom crypto, or secret-comparison code is introduced.
Container-Privileges ✅ Passed No container/K8s manifests were changed; the PR only updates react-router versions in package.json, with no privileged fields added.
No-Sensitive-Data-In-Logs ✅ Passed Diff only bumps react-router in package manifests/lockfile; no log statements or secret-like strings were added in changed files.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from Leo6Leo and jhadvig July 8, 2026 10:49
Align dynamic-demo-plugin react-router version (~7.15.0) with the
main console frontend to fix ConsoleRemotePlugin validation error.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot added the kind/demo-plugin Related to dynamic-demo-plugin label Jul 8, 2026
@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Cragsmann
Once this PR has been reviewed and has the lgtm label, please assign logonoff for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@Cragsmann: This pull request references Jira Issue OCPBUGS-94037, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

Summary

  • Bumps react-router from ~7.13.1 to ~7.15.0
  • Fixes CVE-2026-42342: Denial of Service via unbounded path expansion in __manifest endpoint
  • CVSS 7.5 (High)

Details

In React Router Framework Mode (versions 7.0.0 through 7.14.x), crafted requests to the __manifest endpoint can consume disproportionate server resources via unbounded path expansion, causing response time degradation and service unavailability.

Patched in react-router 7.15.0.

Test plan

  • yarn install succeeds
  • CI build succeeds
  • Verify console loads and navigates correctly

Fixes: https://issues.redhat.com/browse/OCPBUGS-94037

Summary by CodeRabbit

  • Chores
  • Updated the app’s routing package to a newer version in both the frontend and demo setup.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@Cragsmann

Copy link
Copy Markdown
Contributor Author

/retest

2 similar comments
@Cragsmann

Copy link
Copy Markdown
Contributor Author

/retest

@Cragsmann

Copy link
Copy Markdown
Contributor Author

/retest

@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@Cragsmann: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/okd-scos-images dde04eb link true /test okd-scos-images
ci/prow/frontend dde04eb link true /test frontend
ci/prow/analyze dde04eb link true /test analyze
ci/prow/images dde04eb link true /test images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. kind/demo-plugin Related to dynamic-demo-plugin

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants