CVE-2025-68470

MEDIUM6.5EPSS 0.05%

React Router has unexpected external redirect via untrusted paths

Published: 1/8/2026Modified: 2/3/2026

Description

An attacker-supplied path can be crafted so that when a React Router application navigates to it via `navigate()`, `<Link>`, or `redirect()`, the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

Affected packages (1)

npm/react-router>= 6.0.0, < 6.30.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-68470
PATCHhttps://github.com/remix-run/react-router
WEBhttps://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m