CVE-2026-40181
React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
13th
React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4.
| CWE | CWE-601 |
| Vendor | remix-run |
| Product | react-router |
| Published | Jun 2, 2026 |
| Last Updated | Jun 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for remix-run react-router
Be the first to know when new unknown vulnerabilities affecting remix-run react-router are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
remix-run / react-router
>= 7.0.0, < 7.14.1 >= 6.7.0, < 6.30.4