Fluid Attacks Database

Description

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect.

[!NOTE] This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	react-router	>=7.0.0 <7.14.1 \|\| >=6.7.0 <6.30.4	7.14.1, 6.30.4

Aliases

1. CVE-2026-401812. NVD-2026-401813. OSV-2026-401814. GHSA-2j2x-hqr9-3h425. GCVE-2026-40181

References

1. https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.