VDB

CVE-2025-68470

CVE-2025-68470 PUBLISHED CVSS 6.5 MEDIUM

React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.

EPSS 0.05% · 15.3th percentile

Risk Scores

CVSS v3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Score
0.05%
15.3th percentile

Affected Products

VendorProductVersions
shopifyreact-router6.0.0, 7.0.0
npmreact-router6.0.0, 7.0.0
remix-runreact-router>= 7.0.0, < 7.9.6, >= 6.0.0, < 6.30.2

Timeline

  • Jan 8, 2026 CVE Published
  • Jan 10, 2026 EPSS Score
  • Jan 11, 2026 CVE Updated
  • Jan 13, 2026 EPSS Score
  • Jan 16, 2026 EPSS Score
  • Jan 19, 2026 EPSS Score
  • Jan 22, 2026 EPSS Score
  • Jan 25, 2026 EPSS Score
  • Jan 28, 2026 EPSS Score
  • Jan 31, 2026 EPSS Score
  • Feb 1, 2026 Security Advisory
  • Feb 4, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›