React
CVE-2025-68470
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 25 npm packages depend on react-router (7 direct, 19 indirect)
Ecosystem-wide dependent count for version 6.0.0.
DescriptionGitHub Advisory
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
AnalysisAI
React-Router versions up to 6.30.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).
Technical ContextAI
This vulnerability (CWE-601: URL Redirection to Untrusted Site (Open Redirect)) affects React-Router. React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-202
react-native-keys version 0.7.11 contains a sensitive information disclosure vulnerability where encryption ciphers and
HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scrip
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaSc
Uncontrolled resource consumption in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react
Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).
Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names a
Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 5.9).
A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client
Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-9jcx-v3wj-wh4m