Primary

Context

React Router and Remix Open Redirect Vulnerability Leading to Cross-Site Scripting

Vulnerability

A cross-site scripting vulnerability has been identified in React Router and Remix versions that allow single-page application (SPA) open navigation redirects. This issue is present in @remix-run/router versions prior to 1.23.2 and in react-router versions 7.0.0 through 7.11.0. The vulnerability arises from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes, where unsafe URLs can be created from untrusted content or via an open redirect, leading to unintended JavaScript execution on the client side. However, this issue does not affect applications using Declarative Mode with <BrowserRouter>.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users can upgrade to @remix-run/router version 1.23.2 or react-router version 7.12.0 to address this vulnerability.

Added: Jan 10, 2026, 3:22 AM

Updated: Jan 10, 2026, 3:22 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.4

remediation

7.7

relevance

1.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.4

remediation

7.7

relevance

1.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

React Router and Remix Open Redirect Vulnerability Leading to Cross-Site Scripting

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating