CVE-2025-68470

MEDIUM6.5EPSS 0.05%

React Router has unexpected external redirect via untrusted paths

發布日:2026/1/8修改日:2026/2/3

描述

An attacker-supplied path can be crafted so that when a React Router application navigates to it via `navigate()`, `<Link>`, or `redirect()`, the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

受影響套件(1)

npm/react-router>= 6.0.0, < 6.30.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-68470
PATCHhttps://github.com/remix-run/react-router
WEBhttps://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m