Open Navigation Redirect Vulnerability in React Router by Remix-Run
CVE-2026-22029

8HIGH

Key Information:

Vendor: Remix-run
Status: React-router
Vendor: CVE Published:; 10 January 2026

What is CVE-2026-22029?

An open navigation redirect vulnerability exists in React Router versions from 7.0.0 to 7.11.0, and in @remix-run/router versions prior to 1.23.2. This issue arises from improper handling of redirect paths that can originate from untrusted content—potentially leading to unsafe URL execution and unintended JavaScript execution on the client-side. The vulnerability can be exploited in scenarios where redirect paths are derived from untrusted inputs in Framework Mode, Data Mode, or unstable RSC modes. It is important to note that using Declarative Mode () mitigates this vulnerability. This flaw has been addressed in versions 1.23.2 for @remix-run/router and 7.12.0 for react-router.

Affected Version(s)

react-router @remix-run/router < 1.23.2 < @remix-run/router 1.23.2

react-router react-router >= 7.0.0, < 7.12.0 < react-router 7.0.0, 7.12.0

References

https://github.com/remix-run/react-router/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 10, 2026
Vulnerability Reserved
Jan 5, 2026

JSON

Remix-run

What is CVE-2026-22029?

Affected Version(s)

References

CVSS V3.1

Timeline