CVE-2025-68470
MEDIUM
GHSA-9jcx-v3wj-wh4m
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3Tags
Description
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Analysis
React-Router versions up to 6.30.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).
Technical Context
This vulnerability (CWE-601: URL Redirection to Untrusted Site (Open Redirect)) affects React-Router. React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Affected Products
Vendor: Shopify. Product: React-Router. Versions: up to 6.30.1.
Remediation
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today