Description
React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Published: 2026-01-10
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Client‐side Script Execution via Open Redirects
Action: Patch
AI Analysis

Impact

React Router (Remix) allows attackers to trigger client‑side script execution by exploiting open redirects that originate from loaders or actions in Framework, Data, or unstable RSC modes. The vulnerability occurs when a redirect URL is constructed from untrusted content, leading to unsafe JavaScript that executes in the user’s browser. This is an example of a cross‑site scripting flaw (CWE‑79). The impact is that an attacker can execute arbitrary code on the client without needing other privileges.

Affected Systems

Vendors: remix‑run (React Router). Affected versions are @remix‑run/router before 1.23.2 and react‑router versions 7.0.0 through 7.11.0. Versions 1.23.2 and 7.12.0 and later contain the fix. If Declarative Mode (<BrowserRouter>) is used, the issue does not apply.

Risk and Exploitability

The CVSS score is 8, indicating a high severity. The EPSS score is less than 1%, showing a very low exploit probability as of the data available. The vulnerability is not listed in CISA’s KEV catalog. Attack likely requires that an attacker can influence the redirect URL in a loader or action; the attack vector is user‑directed through a link that the victim clicks. Successful exploitation permits arbitrary JavaScript execution in the victim’s browser, providing opportunities for phishing, credential theft, or further client‑side attacks.

Generated by OpenCVE AI on April 18, 2026 at 07:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @remix‑run/router to version 1.23.2 or later
  • Upgrade react‑router to version 7.12.0 or later
  • Verify that any redirects generated by loaders or actions do not use untrusted user input; sanitize or reject such redirects

Generated by OpenCVE AI on April 18, 2026 at 07:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2w69-qvjg-hvjx React Router vulnerable to XSS via Open Redirects
History

Tue, 10 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Shopify
Shopify react-router
Shopify remix-run\/react
CPEs cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*
cpe:2.3:a:shopify:remix-run\/react:*:*:*:*:*:node.js:*:*
Vendors & Products Shopify
Shopify react-router
Shopify remix-run\/react

Tue, 13 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 12 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 10 Jan 2026 03:15:00 +0000

Type Values Removed Values Added
Description React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Title React Router vulnerable to XSS via Open Redirects
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Shopify React-router Remix-run\/react
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:04:50.771Z

Reserved: 2026-01-05T22:30:38.718Z

Link: CVE-2026-22029

cve-icon Vulnrichment

Updated: 2026-01-12T18:10:24.549Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T03:15:48.870

Modified: 2026-02-10T19:36:31.503

Link: CVE-2026-22029

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-10T02:42:32Z

Links: CVE-2026-22029 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses