CVE-2026-22029 - Vulnerability Details

React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable no

Technical Impact total

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-2w69-qvjg-hvjx	React Router vulnerable to XSS via Open Redirects

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
https://nvd.nist.gov/vuln/detail/CVE-2026-22029
https://www.cve.org/CVERecord?id=CVE-2026-22029

History

Tue, 13 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-22029 https://www.cve.org/CVERecord?id=CVE-2026-22029
Metrics	threat_severity `None`	threat_severity `Important`

Mon, 12 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sat, 10 Jan 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Title		React Router vulnerable to XSS via Open Redirects
Weaknesses		CWE-79
References		https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
Metrics		cvssV3_1 `{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-10T02:42:32.736Z

Updated: 2026-01-13T04:55:52.374Z

Reserved: 2026-01-05T22:30:38.718Z

Link: CVE-2026-22029

Vulnrichment

Updated: 2026-01-12T18:10:24.549Z

NVD

Status : Awaiting Analysis

Published: 2026-01-10T03:15:48.870

Modified: 2026-01-13T14:03:18.990

Link: CVE-2026-22029

Redhat

Severity : Important

Publid Date: 2026-01-10T02:42:32Z

Links: CVE-2026-22029 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object