CVE-2025-68470 - Vulnerability Details

React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

References

Link	Providers
https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m
https://nvd.nist.gov/vuln/detail/CVE-2025-68470
https://www.cve.org/CVERecord?id=CVE-2025-68470

History

Tue, 13 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-68470 https://www.cve.org/CVERecord?id=CVE-2025-68470
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 12 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 10 Jan 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Title		React Router has unexpected external redirect via untrusted paths
Weaknesses		CWE-601
References		https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-10T02:39:41.078Z

Updated: 2026-01-12T18:17:43.794Z

Reserved: 2025-12-18T13:48:59.555Z

Link: CVE-2025-68470

Vulnrichment

Updated: 2026-01-12T18:17:40.976Z

NVD

Status : Awaiting Analysis

Published: 2026-01-10T03:15:48.477

Modified: 2026-01-13T14:03:18.990

Link: CVE-2025-68470

Redhat

Severity : Moderate

Publid Date: 2026-01-10T02:39:41Z

Links: CVE-2025-68470 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object