React Router has unexpected external redirect via untrusted paths

GHSA-9jcx-v3wj-wh4m · CVE-2025-68470

Published Jan 8, 2026 · Modified Feb 3, 2026

Description

An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

References

WEB https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-68470
PACKAGE https://github.com/remix-run/react-router

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes