GHSA-2j2x-hqr9-3h42

Source

https://github.com/advisories/GHSA-2j2x-hqr9-3h42

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2j2x-hqr9-3h42/GHSA-2j2x-hqr9-3h42.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2j2x-hqr9-3h42

Aliases

CVE-2026-40181

Published

2026-06-03T20:58:01Z

Modified

2026-06-03T21:00:07.966230569Z

Severity

6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

Details

Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect.

[!NOTE] This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>)

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-03T20:58:01Z",
    "severity": "MODERATE",
    "nvd_published_at": "2026-06-02T20:16:35Z",
    "cwe_ids": [
        "CWE-601"
    ]
}

References

Affected packages

npm / react-router

Package

Name: react-router; View open source insights on deps.dev
Purl: pkg:npm/react-router

Affected ranges

Type: SEMVER
Events: Introduced

7.0.0

Fixed

7.14.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2j2x-hqr9-3h42/GHSA-2j2x-hqr9-3h42.json"

npm / react-router

Package

Name: react-router; View open source insights on deps.dev
Purl: pkg:npm/react-router

Affected ranges

Type: SEMVER
Events: Introduced

6.7.0

Fixed

6.30.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2j2x-hqr9-3h42/GHSA-2j2x-hqr9-3h42.json"