MEDIUM 6.5

GHSA-9jcx-v3wj-wh4m

React Router has unexpected external redirect via untrusted paths

Details

An attacker-supplied path can be crafted so that when a React Router application navigates to it via `navigate()`, `<Link>`, or `redirect()`, the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-router

Introduced in: 6.0.0 Fixed in: 6.30.2

Fix npm install react-router@6.30.2

npm / react-router

Introduced in: 7.0.0 Fixed in: 7.9.6

Fix npm install react-router@7.9.6

References

https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-68470 [ADVISORY]
https://github.com/remix-run/react-router [PACKAGE]