DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-40181: CVE-2026-40181: Open Redirect Vulnerability in React Router

#security #cve #cybersecurity

CVE-2026-40181: Open Redirect Vulnerability in React Router

Vulnerability ID: CVE-2026-40181
CVSS Score: 6.6
Published: 2026-06-03

An open redirect vulnerability exists in the react-router library due to insufficient validation of double-slash prefix paths in the redirect programmatic navigation helper. Attackers can leverage this to bypass standard destination validation checks and redirect users to malicious domains. This occurs because browsers interpret double-slash URLs as protocol-relative targets rather than relative application paths.

TL;DR

React Router fails to validate protocol-relative double-slash URLs (e.g., //attacker.com) in its redirect helper, allowing attackers to bypass internal redirect checks and route users to external malicious sites.

Technical Details

  • CWE ID: CWE-601 (URL Redirection to Untrusted Site)
  • Attack Vector: Network (AV:N)
  • CVSS Score: 6.6
  • EPSS Score: 0.00041
  • Impact: High Integrity Impact (External Redirection Phishing)
  • Exploit Status: Unproven (No active public exploits)
  • KEV Status: Not Listed

Affected Systems

  • react-router
  • react-router-dom
  • Remix Framework (via React Router core library)

Mitigation Strategies

  • Upgrade React Router dependencies to patched releases (6.30.4+ or 7.14.1+).
  • Sanitize and validate redirection target paths manually using a strict relative URL validation function that rejects double slashes and backslashes.
  • Implement a robust Content Security Policy (CSP) with form-action restrictions to block unauthorized redirections.

Remediation Steps:

  1. Identify all routing logic and loaders/actions utilizing the programmatic redirect function.
  2. Review dependencies and update react-router and react-router-dom to 6.30.4 (for v6 apps) or 7.14.1 (for v7 apps).
  3. If immediate upgrading is unfeasible, deploy a utility helper function to sanitize user-provided redirect paths, preventing double slashes (//) and backslashes (/).
  4. Verify the implementation with automated unit tests that attempt to pass protocol-relative parameters.

References

Read the full report for CVE-2026-40181 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)