CVE-2025-68470 MEDIUM

CVE-2025-68470: React Router has unexpected external redirect via untrusted paths

Vendor Remix-Run

Product react-router

Weakness CWE-601 · Open redirect

Published January 10, 2026

Last update January 12, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.

Key dates

02Disclosure timeline

January 10, 2026 CVE published

January 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-68470

Related vulnerabilities

Identifiers

CVE CVE-2025-68470

CWE CWE-601

CVSS 6.5 / MEDIUM

Affected versions

Vendor Remix-Run

Product react-router

Affected >= 7.0.0, < 7.9.6

Vendor Remix-Run

Product react-router

Affected >= 6.0.0, < 6.30.2

CVE-2025-68470: React Router has unexpected external redirect via untrusted paths

01Description

02Disclosure timeline

03References

04Related CVE