CVE-2026-40181
Analyzed Analyzed - Analysis Complete
Open Redirect Vulnerability in React Router

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-40181
EUVD
EUVD-2026-33996
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
shopify react-router From 6.7.0 (inc) to 6.30.4 (exc)
shopify react-router From 7.0.0 (inc) to 7.14.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40181 is a security vulnerability in the React Router library affecting versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3. The issue arises when certain URLs passed to the redirect function start with "//", which are reinterpreted as protocol-relative URLs. This can cause an open redirect to an external domain if the application does not properly validate these URLs before redirecting.

This vulnerability only affects applications using programmatic redirect methods and does not impact those using Declarative Mode (i.e., <BrowserRouter>). The vulnerability has been patched in versions 7.14.1 and 6.30.4.

Impact Analysis

This vulnerability can lead to an open redirect, where users can be redirected to external, potentially malicious domains without proper validation. This can be exploited for phishing attacks, redirecting users to harmful websites, or bypassing security controls.

The level of impact depends on how well the application validates URLs before performing redirects. Applications using programmatic redirects without sufficient validation are at risk, while those using Declarative Mode are not affected.

Detection Guidance

This vulnerability can be detected by identifying if your application uses affected versions of React Router (>=7.0.0,<7.14.1 or >=6.7.0,<6.30.4) and if it performs programmatic redirects with URLs starting with "//" that could lead to open redirects.

To detect potential exploitation attempts on your network or system, you can monitor HTTP requests and responses for redirect URLs that start with "//" indicating protocol-relative URLs that might cause open redirects.

  • Use network traffic analysis tools (e.g., Wireshark, tcpdump) to filter HTTP responses with 3xx status codes and check the Location header for URLs starting with "//".
  • On the server or application logs, search for redirect function calls or logs containing redirect URLs starting with "//".
  • Example command to search application logs for suspicious redirects: grep -r 'redirect("//' /path/to/logs
  • Example command to capture HTTP redirect responses with tcpdump: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -i 'Location: //'
Mitigation Strategies

The immediate mitigation step is to upgrade React Router to a patched version: 7.14.1 or later, or 6.30.4 or later.

Additionally, review your application code to ensure that any URLs passed to redirect functions are properly validated and sanitized to prevent open redirects.

If upgrading immediately is not possible, implement strict validation on redirect URLs to disallow URLs starting with "//" or any protocol-relative URLs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40181. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart