← Back

CVE-2025-68470

nvd nist
Published: Jan 10, 2026Modified: Jan 30, 2026

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Exploitability: 2.8 / Impact: 3.6
Source: security-advisories@github.com (Secondary)

Description

React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.

Affected (2)

Shopify
1 product
React Router
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Shopify
React Router
From 6.0.0 to 6.30.1
React Router
From 7.0.0 to 7.9.5

Related CWEs

CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References (1)

Source: security-advisories@github.com
Third Party Advisory

Timeline

No history available yet.