Headline
GHSA-2w69-qvjg-hvjx: React Router vulnerable to XSS via Open Redirects
React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.
[!NOTE] This does not impact applications that use Declarative Mode (
<BrowserRouter>).
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-22029
React Router vulnerable to XSS via Open Redirects
Package
npm @remix-run/router (npm)
Affected versions
<= 1.23.1
Description
React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.
Note
This does not impact applications that use Declarative Mode (<BrowserRouter>).
References
- GHSA-2w69-qvjg-hvjx
Published to the GitHub Advisory Database
Jan 8, 2026
EPSS score