React Router has unexpected external redirect via untrusted paths

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Description

React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.

Basic Information

ID CVE-2025-68470

Source GitHub_M

Published Jan 10, 2026 at 02:39

Affected Product

Vendor remix-run

Product react-router

Version >= 7.0.0, < 7.9.6

Affected Versions remix-run react-router >= 7.0.0, < 7.9.6
remix-run react-router >= 6.0.0, < 6.30.2

CWE Classification

CWE-601

References

github.com /remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m

{
    "lastseen": "",
    "description": "React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.",
    "published": "2026-01-10T02:39:41.078Z",
    "modified": "2026-01-10T02:39:41.078Z",
    "type": "cve",
    "title": "React Router has unexpected external redirect via untrusted paths",
    "source": "GitHub_M",
    "references": "https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m",
    "id": "CVE-2025-68470",
    "bulletinFamily": "",
    "cwe": [
        "CWE-601"
    ],
    "cvelist": null,
    "sourceData": "remix-run react-router >= 7.0.0, < 7.9.6\nremix-run react-router >= 6.0.0, < 6.30.2",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "react-router",
    "version": ">= 7.0.0, < 7.9.6",
    "vendor": "remix-run",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

React Router has unexpected external redirect via untrusted paths_CVE-2025-68470