CVE-2026-40181
Open Redirect Vulnerability in React Router
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| remix-run | react-router | From 6.7.0 (inc) to 6.30.4 (exc) |
| remix-run | react-router | From 7.0.0 (inc) to 7.14.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40181 is a security vulnerability in the React Router library affecting versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3. The issue arises when certain URLs passed to the redirect function start with "//", which are reinterpreted as protocol-relative URLs. This can cause an open redirect to an external domain if the application does not properly validate these URLs before redirecting.
This vulnerability only affects applications using programmatic redirect methods and does not impact those using Declarative Mode (i.e., <BrowserRouter>). The vulnerability has been patched in versions 7.14.1 and 6.30.4.
How can this vulnerability impact me? :
This vulnerability can lead to an open redirect, where users can be redirected to external, potentially malicious domains without proper validation. This can be exploited for phishing attacks, redirecting users to harmful websites, or bypassing security controls.
The level of impact depends on how well the application validates URLs before performing redirects. Applications using programmatic redirects without sufficient validation are at risk, while those using Declarative Mode are not affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your application uses affected versions of React Router (>=7.0.0,<7.14.1 or >=6.7.0,<6.30.4) and if it performs programmatic redirects with URLs starting with "//" that could lead to open redirects.
To detect potential exploitation attempts on your network or system, you can monitor HTTP requests and responses for redirect URLs that start with "//" indicating protocol-relative URLs that might cause open redirects.
- Use network traffic analysis tools (e.g., Wireshark, tcpdump) to filter HTTP responses with 3xx status codes and check the Location header for URLs starting with "//".
- On the server or application logs, search for redirect function calls or logs containing redirect URLs starting with "//".
- Example command to search application logs for suspicious redirects: grep -r 'redirect("//' /path/to/logs
- Example command to capture HTTP redirect responses with tcpdump: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -i 'Location: //'
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade React Router to a patched version: 7.14.1 or later, or 6.30.4 or later.
Additionally, review your application code to ensure that any URLs passed to redirect functions are properly validated and sanitized to prevent open redirects.
If upgrading immediately is not possible, implement strict validation on redirect URLs to disallow URLs starting with "//" or any protocol-relative URLs.