react-router-dom-6.26.0.tgz: 2 vulnerabilities (highest severity is: 8.0) #100
Description
Vulnerable Library - react-router-dom-6.26.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (react-router-dom version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2026-22029 |  High |
8.0 | router-1.19.0.tgz | Transitive | 6.30.3 | ❌ |
| CVE-2025-68470 |  Medium |
6.5 | react-router-6.26.0.tgz | Transitive | 6.30.2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-22029
Vulnerable Library - router-1.19.0.tgz
Library home page: https://registry.npmjs.org/@remix-run/router/-/router-1.19.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-router-dom-6.26.0.tgz (Root Library)
- ❌ router-1.19.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode () is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Publish Date: 2026-01-10
URL: CVE-2026-22029
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-2w69-qvjg-hvjx
Release Date: 2026-01-08
Fix Resolution (@remix-run/router): 1.23.2
Direct dependency fix Resolution (react-router-dom): 6.30.3
Step up your Open Source Security Game with Mend here
CVE-2025-68470
Vulnerable Library - react-router-6.26.0.tgz
Library home page: https://registry.npmjs.org/react-router/-/react-router-6.26.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-router-dom-6.26.0.tgz (Root Library)
- ❌ react-router-6.26.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Publish Date: 2026-01-10
URL: CVE-2025-68470
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-9jcx-v3wj-wh4m
Release Date: 2026-01-08
Fix Resolution (react-router): 6.30.2
Direct dependency fix Resolution (react-router-dom): 6.30.2
Step up your Open Source Security Game with Mend here