CVE-2026-40181

Vulnerability

Certain versions of React Router, specifically 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, contain a vulnerability where URLs passed to the redirect function can trigger an open redirect. This occurs when path values begin with //, causing them to be reinterpreted as protocol-relative URLs. This issue does not affect applications using Declarative Mode with `` [1].

Exploitation

An attacker can exploit this vulnerability by crafting a URL that includes a path starting with //. When this URL is processed by a vulnerable version of React Router's redirect function, it can be redirected to an external domain. The success of the exploit depends on the application's prior validation of the URL before returning the redirect [1].

Impact

Successful exploitation of this vulnerability can lead to an open redirect, potentially directing users to malicious external domains. The ultimate impact, such as information disclosure or facilitating phishing attacks, depends on the specific application's implementation and how it handles user input and subsequent redirects [1].

Mitigation

This vulnerability is patched in React Router versions 7.14.1 and 6.30.4. Users are advised to update to these fixed versions as soon as possible. No workarounds are mentioned in the available references for versions prior to the fix [1].