React Router has unexpected external redirect via untrusted paths
Moderate severity
GitHub Reviewed
Published
Jan 8, 2026
in
remix-run/react-router
•
Updated Jan 8, 2026
Package
Affected versions
>= 6.0.0, < 6.30.2
>= 7.0.0, < 7.9.6
Patched versions
6.30.2
7.9.6
Description
Published to the GitHub Advisory Database
Jan 8, 2026
Reviewed
Jan 8, 2026
Last updated
Jan 8, 2026
Credits
-
APshenkin Reporter
An attacker-supplied path can be crafted so that when a React Router application navigates to it via
navigate(),<Link>, orredirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.References