React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

GHSA-2j2x-hqr9-3h42 · CVE-2026-40181

Published Jun 3, 2026 · Modified Jun 9, 2026

Description

Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>)

References

WEB https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-40181
PACKAGE https://github.com/remix-run/react-router

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes