{"vulnerability": "CVE-2026-40181", "sightings": [{"uuid": "95e5477e-e393-4892-8085-41520014133f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40181", "type": "seen", "source": "https://gist.github.com/alon710/c225f7d330b57c3901ac40c39f91bf81", "content": "# CVE-2026-40181: CVE-2026-40181: Open Redirect Vulnerability in React Router\n\n> **CVSS Score:** 6.6\n> **Published:** 2026-06-03\n> **Full Report:** https://cvereports.com/reports/CVE-2026-40181\n\n## Summary\nAn open redirect vulnerability exists in the react-router library due to insufficient validation of double-slash prefix paths in the redirect programmatic navigation helper. Attackers can leverage this to bypass standard destination validation checks and redirect users to malicious domains. This occurs because browsers interpret double-slash URLs as protocol-relative targets rather than relative application paths.\n\n## TL;DR\nReact Router fails to validate protocol-relative double-slash URLs (e.g., //attacker.com) in its redirect helper, allowing attackers to bypass internal redirect checks and route users to external malicious sites.\n\n## Technical Details\n\n- **CWE ID**: CWE-601 (URL Redirection to Untrusted Site)\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 6.6\n- **EPSS Score**: 0.00041\n- **Impact**: High Integrity Impact (External Redirection Phishing)\n- **Exploit Status**: Unproven (No active public exploits)\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- react-router\n- react-router-dom\n- Remix Framework (via React Router core library)\n\n## Mitigation\n\n- Upgrade React Router dependencies to patched releases (6.30.4+ or 7.14.1+).\n- Sanitize and validate redirection target paths manually using a strict relative URL validation function that rejects double slashes and backslashes.\n- Implement a robust Content Security Policy (CSP) with form-action restrictions to block unauthorized redirections.\n\n**Remediation Steps:**\n1. Identify all routing logic and loaders/actions utilizing the programmatic redirect function.\n2. Review dependencies and update react-router and react-router-dom to 6.30.4 (for v6 apps) or 7.14.1 (for v7 apps).\n3. If immediate upgrading is unfeasible, deploy a utility helper function to sanitize user-provided redirect paths, preventing double slashes (//) and backslashes (/\\).\n4. Verify the implementation with automated unit tests that attempt to pass protocol-relative parameters.\n\n## References\n\n- [GitHub Security Advisory GHSA-2j2x-hqr9-3h42](https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42)\n- [NVD Vulnerability Details for CVE-2026-40181](https://nvd.nist.gov/vuln/detail/CVE-2026-40181)\n- [React Router Project Repository](https://github.com/remix-run/react-router)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-40181) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-03T21:10:57.000000Z"}]}