External URL Navigation Vulnerability in React Router by Remix Run
CVE-2025-68470

6.5MEDIUM

Key Information:

Vendor: Remix-run
Status: React-router
Vendor: CVE Published:; 10 January 2026

What is CVE-2025-68470?

React Router, a popular routing library for React applications, has a vulnerability allowing an attacker to manipulate navigation paths. When untrusted content is passed into navigation methods like navigate(), , or redirect(), the application may redirect users to malicious external URLs. This could lead to phishing attacks or data leakage. The issue has been resolved in the patched versions 6.30.2 and 7.9.6, emphasizing the need for developers to validate input when handling navigation aspects.

Affected Version(s)

react-router >= 7.0.0, < 7.9.6 < 7.0.0, 7.9.6

react-router >= 6.0.0, < 6.30.2 < 6.0.0, 6.30.2

References

https://github.com/remix-run/react-router/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 10, 2026
Vulnerability Reserved
Dec 18, 2025

JSON

Remix-run

What is CVE-2025-68470?

Affected Version(s)

References

CVSS V3.1

Timeline