CVE-2025-68470
published 2026-01-10CVE-2025-68470: React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.20%
9.8th percentile
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| remix-run | react-router | — | — |
| remix-run | react-router | — | — |
| remix-run | react-router | >= 6.0.0 < 6.30.2 | 6.30.2 |
| remix-run | react-router | >= 7.0.0 < 7.9.6 | 7.9.6 |
| shopify | react-router | 6.0.0 – 6.30.1 | — |
| shopify | react-router | 7.0.0 – 7.9.5 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
react-router: React Router unexpected external redirect
vendor_redhat·2026-01-10·CVSS 6.5
CVE-2025-68470 [MEDIUM] CWE-601 react-router: React Router unexpected external redirect
react-router: React Router unexpected external redirect
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
An open redirect flaw has been discovered in the react-router npm library. An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you a
GHSA
React Router has unexpected external redirect via untrusted paths
ghsa·2026-01-08
CVE-2025-68470 [MEDIUM] CWE-601 React Router has unexpected external redirect via untrusted paths
React Router has unexpected external redirect via untrusted paths
An attacker-supplied path can be crafted so that when a React Router application navigates to it via `navigate()`, ``, or `redirect()`, the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.
OSV
React Router has unexpected external redirect via untrusted paths
osv·2026-01-08
CVE-2025-68470 [MEDIUM] React Router has unexpected external redirect via untrusted paths
React Router has unexpected external redirect via untrusted paths
An attacker-supplied path can be crafted so that when a React Router application navigates to it via `navigate()`, ``, or `redirect()`, the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-68470 h3: React Router unexpected external redirect [fedora-42]
bugzilla·2026-01-12·CVSS 6.5
CVE-2025-68470 [MEDIUM] CVE-2025-68470 h3: React Router unexpected external redirect [fedora-42]
CVE-2025-68470 h3: React Router unexpected external redirect [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from re
Bugzilla
CVE-2025-68470 react-router: React Router unexpected external redirect
bugzilla·2026-01-10·CVSS 6.5
CVE-2025-68470 [MEDIUM] CVE-2025-68470 react-router: React Router unexpected external redirect
CVE-2025-68470 react-router: React Router unexpected external redirect
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Wiz
CVE-2025-68470 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2025-68470 [HIGH] CVE-2025-68470 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68470 :
React Router vulnerability analysis and mitigation
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Source : NVD
## 6.5
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
React Router
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (
2026-01-10
Published