React Router vulnerable to XSS via Open Redirects

GHSA-2w69-qvjg-hvjx · CVE-2026-22029

Published Jan 8, 2026 · Modified Feb 3, 2026

Description

React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.

[!NOTE]
This does not impact applications that use Declarative Mode (<BrowserRouter>).

References

WEB https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-22029
PACKAGE https://github.com/remix-run/react-router

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes