Description
React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Published: 2026-01-10
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

React Router is a router for React. In @remix-run/router versions prior to 1.23.2 and react‑router 7.0.0 through 7.11.0, open navigation redirects that originate from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs that cause unintended JavaScript execution on the client. The vulnerability only applies when redirect paths are constructed from untrusted content or via an open redirect; Declarative Mode (<BrowserRouter>) is not affected. This is a cross‑site scripting flaw (CWE‑79). The impact is that an attacker can execute arbitrary code on the client without needing other privileges.

Affected Systems

Vendors: remix‑run (React Router). Affected versions are @remix‑run/router before 1.23.2 and react‑router versions 7.0.0 through 7.11.0. Versions 1.23.2 and 7.12.0 and later contain the fix. If Declarative Mode (<BrowserRouter>) is used, the issue does not apply.

Risk and Exploitability

The CVSS score is 8, indicating a high severity. The EPSS score is less than 1%, showing a very low exploit probability as of the data available. The vulnerability is not listed in CISA’s KEV catalog. Attack likely requires that an attacker can influence the redirect URL in a loader or action; the attack vector is user‑directed through a link that the victim clicks. Successful exploitation permits arbitrary JavaScript execution in the victim’s browser, providing opportunities for phishing, credential theft, or further client‑side attacks.

Generated by OpenCVE AI on June 2, 2026 at 19:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @remix‑run/router to version 1.23.2 or later
  • Upgrade react‑router to version 7.12.0 or later
  • Verify that any redirects generated by loaders or actions do not use untrusted user input; sanitize or reject such redirects

Generated by OpenCVE AI on June 2, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2w69-qvjg-hvjx React Router vulnerable to XSS via Open Redirects
History

Tue, 02 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0. React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.

Tue, 10 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Shopify
Shopify react-router
Shopify remix-run\/react
CPEs cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*
cpe:2.3:a:shopify:remix-run\/react:*:*:*:*:*:node.js:*:*
Vendors & Products Shopify
Shopify react-router
Shopify remix-run\/react

Tue, 13 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 12 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 10 Jan 2026 03:15:00 +0000

Type Values Removed Values Added
Description React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Title React Router vulnerable to XSS via Open Redirects
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Shopify React-router Remix-run\/react
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T16:58:42.516Z

Reserved: 2026-01-05T22:30:38.718Z

Link: CVE-2026-22029

cve-icon Vulnrichment

Updated: 2026-01-12T18:10:24.549Z

cve-icon NVD

Status : Modified

Published: 2026-01-10T03:15:48.870

Modified: 2026-06-17T10:19:23.220

Link: CVE-2026-22029

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-10T02:42:32Z

Links: CVE-2026-22029 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T19:15:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')