CVE-2026-22029

Name of the Vulnerable Software and Affected Versions React Router versions 7.0.0 through 7.11.0 @remix-run/router versions prior to 1.23.2

Description React Router, a router for React, is susceptible to open redirect issues. Specifically, Single Page Applications (SPAs) using React Router (and Remix v1/v2) in Framework Mode, Data Mode, or the unstable RSC modes may experience unsafe URLs leading to unintended javascript execution on the client when handling redirects originating from loaders or actions. This is only a concern when redirect paths are created from untrusted content or via an open redirect. The issue does not affect applications using Declarative Mode ().

Recommendations React Router versions 7.0.0 through 7.11.0: Update to version 7.12.0 or later. @remix-run/router versions prior to 1.23.2: Update to version 1.23.2 or later.