React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open…
Published:
9 januari 2026 om 23:00:00
Alert date:
10 januari 2026 om 13:10:58
Source:
nvd.nist.gov
React Router versions prior to 1.23.2 and react-router 7.0.0 through 7.11.0 contain an open redirect vulnerability in SPA navigation. The vulnerability affects Framework Mode, Data Mode, and unstable RSC modes, allowing unsafe URLs to cause unintended JavaScript execution on the client. The issue only occurs when creating redirect paths from untrusted content or via open redirects. Declarative Mode using BrowserRouter is not affected. Patches are available in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Technical details
Mitigation steps:
Affected products:
React Router
@remix-run/router
Remix
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-22029
https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.