Description
React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4.
Published: 2026-06-02
Score: 6.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

React Router allows developers to redirect users to arbitrary URLs by passing a path value to its redirect function, but when that path begins with double slashes (//) the function incorrectly treats it as a protocol‑relative URL, effectively enabling an attacker to redirect the user to an external domain. This flaw is a classic Open Redirect (CWE‑601) that can be abused for phishing or misleading users to malicious sites, thereby potentially compromising the integrity of the user experience.

Affected Systems

Vendors: Remix Run – React Router. Affected component versions include React Router 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3. The issue is resolved in 7.14.1 and 6.30.4. Applications that operate in Declarative Mode (<BrowserRouter>) are not impacted.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity, and the EPSS score is not available; the vulnerability is not listed in CISA KEV. The attack vector requires only that a malicious actor supplies or manipulates a redirect parameter containing a path that starts with //, and no special privileges or prior compromise are needed. If the host application does not perform strict validation or whitelisting of redirect destinations, the attacker can lure users into following the forged redirect, exposing them to fraud or more covert attacks.

Generated by OpenCVE AI on June 3, 2026 at 03:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to React Router version 7.14.1 or 6.30.4 to apply the official patch
  • If an immediate upgrade is not feasible, reject any redirect paths that begin with \'//\' or enforce a scheme check before issuing the redirect
  • Validate all redirect targets against a strict whitelist of trusted domains to prevent abuse of the redirect functionality

Generated by OpenCVE AI on June 3, 2026 at 03:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4.
Title React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T17:55:09.919Z

Reserved: 2026-04-09T20:59:17.619Z

Link: CVE-2026-40181

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:35.597

Modified: 2026-06-02T20:16:35.597

Link: CVE-2026-40181

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:00:13Z

Weaknesses