MEDIUM

GHSA-2j2x-hqr9-3h42

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

Details

Certain URLs passed to the `redirect` function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the `redirect`.

> [!NOTE] > This does not impact your React Router application if you are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`)

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-router

Introduced in: 7.0.0 Fixed in: 7.14.1

Fix npm install react-router@7.14.1

npm / react-router

Introduced in: 6.7.0 Fixed in: 6.30.4

Fix npm install react-router@6.30.4

References

https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-40181 [ADVISORY]
https://github.com/remix-run/react-router [PACKAGE]