CVE-2026-22029
Modified Modified - Updated After Analysis
Open Redirect in React Router Causes Unsafe Client-Side Script Execution

Publication date: 2026-01-10

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode () is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22029
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
shopify remix-run/react to 1.23.2 (exc)
shopify react-router From 7.0.0 (inc) to 7.11.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22029 is a high-severity cross-site scripting (XSS) vulnerability in React Router and Remix single-page applications. It occurs when open navigation redirects are created from loaders or actions in Framework Mode, Data Mode, or unstable React Server Components modes using versions of @remix-run/router prior to 1.23.2 and react-router versions 7.0.0 through 7.11.0. If redirect paths are constructed from untrusted input or via open redirects, this can lead to unsafe URLs that cause unintended JavaScript execution on the client side. This vulnerability does not affect applications using Declarative Mode (such as <BrowserRouter>). The issue was fixed in @remix-run/router 1.23.2 and react-router 7.12.0. [1]

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks, allowing attackers to execute malicious JavaScript in users' browsers. This can compromise the confidentiality and integrity of user data, potentially leading to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of the user. The CVSS score indicates high impact on confidentiality and integrity, though availability is not affected. [1]

Detection Guidance

Detection involves identifying if your application uses vulnerable versions of @remix-run/router (≀1.23.1) or react-router (β‰₯7.0.0 and ≀7.11.0) and if it creates open navigation redirects from untrusted input in Framework Mode, Data Mode, or unstable RSC modes. You can check your installed package versions with commands like `npm list @remix-run/router` or `npm list react-router`. Additionally, testing for open redirects and potential XSS by attempting to inject JavaScript payloads in redirect parameters may help detect exploitation. There are no specific commands provided for network detection in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade @remix-run/router to version 1.23.2 or later, and react-router to version 7.12.0 or later, where the vulnerability has been patched. Also, avoid creating redirect paths from untrusted content or open redirects, and consider using Declarative Mode (e.g., <BrowserRouter>) which is not affected by this issue. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22029. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart