React Router’s same-origin redirect with path starting // causes open...

6.6 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Description

React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4.

Basic Information

ID CVE-2026-40181

Source GitHub_M

Published Jun 2, 2026 at 17:55

Affected Product

Vendor remix-run

Product react-router

Version >= 7.0.0, < 7.14.1

Affected Versions remix-run react-router >= 7.0.0, < 7.14.1
remix-run react-router >= 6.7.0, < 6.30.4

CWE Classification

CWE-601

References

github.com /remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42

{
    "lastseen": "",
    "description": "React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4.",
    "published": "2026-06-02T17:55:09.919Z",
    "modified": "2026-06-02T17:55:09.919Z",
    "type": "cve",
    "title": "React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation",
    "source": "GitHub_M",
    "references": "https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42",
    "id": "CVE-2026-40181",
    "bulletinFamily": "",
    "cwe": [
        "CWE-601"
    ],
    "cvelist": null,
    "sourceData": "remix-run react-router >= 7.0.0, < 7.14.1\nremix-run react-router >= 6.7.0, < 6.30.4",
    "sourceHref": "",
    "cvss": {
        "score": 6.6,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "react-router",
    "version": ">= 7.0.0, < 7.14.1",
    "vendor": "remix-run",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

React Router’s same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation_CVE-2026-40181