MEDIUM 6.1

CVE-2026-40181: React Router Open Redirect Vulnerability (v6 & v7)

React Router, a widely-used navigation library for React applications, contains an open redirect vulnerability in specific versions. When certain URLs are passed to the redirect function, the library can inadvertently send users to an external website controlled by an attacker. This happens because paths beginning with double slashes (//) are misinterpreted as protocol-relative URLs, allowing an attacker to craft a malicious URL that bypasses the intended redirect destination. The vulnerability only affects applications using the programmatic redirect function; applications built with React Router's declarative mode (using <BrowserRouter>) are not impacted. The severity of the risk depends on how thoroughly the application validates URLs before redirecting.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-601
Affected products
1 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

React Router versions 7.0.0–7.14.0 and 6.7.0–6.30.3 contain an open redirect flaw (CWE-601) in the redirect function. The root cause is improper handling of path values that begin with //; these are parsed as protocol-relative URLs rather than as relative paths. An attacker can construct a URL with a // prefix that, when passed to the redirect function, resolves to an arbitrary external domain. The vulnerability does not affect applications using declarative routing patterns such as <BrowserRouter>, as those code paths do not exhibit the same parsing behavior. Impact is modulated by the application's input validation: applications that validate redirect destinations prior to invoking the redirect function mitigate the risk substantially.

Business impact

Open redirect vulnerabilities are commonly exploited in phishing campaigns. An attacker can craft a deceptive link that appears to direct users to your legitimate application but actually redirects to a malicious site after user interaction. This can lead to credential theft, malware distribution, or brand damage if your domain is used as the initial trust vector. Organizations relying on React Router for user-facing applications should assess whether their redirect patterns could be exploited and prioritize patching to eliminate this attack surface.

Affected systems

Shopify's React Router is affected in two release branches: all versions from 7.0.0 through 7.14.0, and all versions from 6.7.0 through 6.30.3. Applications must be using the programmatic redirect function to be vulnerable; applications exclusively using declarative routing are not at risk. Any web application built with an affected React Router version that passes user-controlled or insufficiently validated input to the redirect function should be considered at risk.

Exploitability

The vulnerability requires user interaction: an attacker must craft a malicious link and trick a user into clicking it or cause the redirect to be triggered via social engineering or other indirect means. No authentication is required, and the attack can be performed over the network from any location. The barrier to exploitation is low—an attacker needs only to understand the redirect function signature and construct a URL with a // prefix. However, the attack is not self-propagating or automatically triggered; it depends on user behavior.

Remediation

Upgrade React Router to version 7.14.1 or later if running the v7 branch, or to version 6.30.4 or later if running the v6 branch. These patched versions correct the path parsing logic to prevent // prefixes from being misinterpreted as protocol-relative URLs. Additionally, implement input validation on redirect destinations: validate that URLs conform to expected patterns (internal routes or whitelisted external domains) before passing them to the redirect function. This defense-in-depth approach protects against this and similar redirect vulnerabilities.

Patch guidance

Verify the current version of React Router in your package.json or package-lock.json. If running version 7.0.0–7.14.0, upgrade to 7.14.1 or later. If running version 6.7.0–6.30.3, upgrade to 6.30.4 or later. Test the upgrade in a staging environment to ensure no regressions in routing behavior, then deploy to production. Review any custom redirect logic in your application to confirm it does not inadvertently bypass the patched parsing. Consult the vendor advisory at https://github.com/remix-run/react-router/releases for detailed release notes.

Detection guidance

Review application logs for redirect requests that contain // in the URL path parameter. Monitor for patterns where redirect destinations resolve to external domains or unexpected hostnames. Web application firewalls or proxies can be configured to flag redirect function calls with suspicious // prefixes. In code review, identify all invocations of the redirect function and assess whether user input is passed directly without validation. Static analysis tools can help identify risky redirect patterns.

Why prioritize this

This vulnerability warrants prompt attention because open redirects are a proven attack vector in phishing and social engineering campaigns, and because the affected library is widely deployed in React-based applications. The fix is straightforward (a version upgrade), and the risk increases proportionally with the amount of user-facing traffic your application receives. Organizations with high-profile brands or security-sensitive workflows should prioritize this patch to reduce reputational and operational risk.

Risk score, explained

The CVSS 3.1 score of 6.1 (MEDIUM) reflects that the vulnerability has a low attack complexity and requires no privileges, but mandates user interaction and results in limited confidentiality and integrity impact (no availability impact). The protocol-relative URL reinterpretation does not lead to code execution or data breach; instead, it enables account compromise via credential theft or malware through the redirect destination. The score aligns with the threat model of a social-engineering-driven phishing attack.

Frequently asked questions

Does this vulnerability affect all React Router users?

No. The vulnerability only affects applications using the programmatic redirect function with versions 7.0.0–7.14.0 or 6.7.0–6.30.3. Applications built entirely with declarative routing (e.g., <Route> components and <BrowserRouter>) are not vulnerable. You can determine your exposure by checking your React Router version and reviewing whether your codebase calls the redirect function.

What does 'protocol-relative URL' mean in this context?

A protocol-relative URL is a link that begins with // (e.g., //example.com/page). Modern browsers interpret // as 'use the same protocol as the current page (http or https) and connect to the specified domain.' React Router's parser was incorrectly treating // in path values as the start of a protocol-relative URL, allowing an attacker to redirect users to an arbitrary external domain.

Can input validation alone protect my application?

Input validation is an excellent defense-in-depth measure and should be implemented regardless, but it is not a substitute for upgrading. By validating redirect destinations before calling the redirect function—ensuring they are either internal routes or whitelisted external domains—you can prevent this vulnerability from being exploited. However, upgrading to the patched version eliminates the underlying parsing defect and is the primary remediation.

Is there a workaround if I cannot upgrade immediately?

If immediate upgrade is not possible, implement strict URL validation for all redirect destinations. Whitelist or sanitize URLs passed to the redirect function, rejecting any that begin with // or contain unexpected protocol prefixes. This is a temporary measure; plan the upgrade to a patched version as soon as possible.

This analysis is provided for informational purposes to help security teams assess and prioritize vulnerability remediation. It is not a substitute for vendor advisories or your organization's own risk assessment. Verify all patch versions and guidance against official Shopify/Remix Run release notes and your specific deployment configuration. Test patches in a non-production environment before deploying to production. No exploit code or proof-of-concept is provided herein. SEC.co does not provide legal or compliance advice; consult your legal and compliance teams regarding breach notification or regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).