Skip to content

react-router-dom-6.23.0.tgz: 3 vulnerabilities (highest severity is: 8.0) #62

Description

@mend-bolt-for-github
Vulnerable Library - react-router-dom-6.23.0.tgz

Path to dependency file: /default/dockerbuild/react-ui/frontend/package.json

Path to vulnerable library: /default/dockerbuild/react-ui/frontend/node_modules/react-router/package.json

Found in HEAD commit: 7d4ec1976bf34e113ff183b2bc7fa39af6136591

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (react-router-dom version) Remediation Possible**
CVE-2026-22029 High 8.0 router-1.16.0.tgz Transitive 6.30.3
CVE-2026-40181 High 7.5 react-router-6.23.0.tgz Transitive 6.30.4
CVE-2025-68470 Medium 6.5 react-router-6.23.0.tgz Transitive 6.30.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-22029

Vulnerable Library - router-1.16.0.tgz

Library home page: https://registry.npmjs.org/@⁠remix-run/router/-/router-1.16.0.tgz

Path to dependency file: /default/dockerbuild/react-ui/frontend/package.json

Path to vulnerable library: /default/dockerbuild/react-ui/frontend/node_modules/@⁠remix-run/router/package.json

Dependency Hierarchy:

  • react-router-dom-6.23.0.tgz (Root Library)
    • router-1.16.0.tgz (Vulnerable Library)

Found in HEAD commit: 7d4ec1976bf34e113ff183b2bc7fa39af6136591

Found in base branch: main

Vulnerability Details

React Router is a router for React. In @⁠remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode () is being used. This issue has been patched in @⁠remix-run/router version 1.23.2 and react-router version 7.12.0.

Publish Date: 2026-01-10

URL: CVE-2026-22029

CVSS 3 Score Details (8.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2w69-qvjg-hvjx

Release Date: 2026-01-08

Fix Resolution (@⁠remix-run/router): 1.23.2

Direct dependency fix Resolution (react-router-dom): 6.30.3

Step up your Open Source Security Game with Mend here

CVE-2026-40181

Vulnerable Library - react-router-6.23.0.tgz

Library home page: https://registry.npmjs.org/react-router/-/react-router-6.23.0.tgz

Path to dependency file: /default/dockerbuild/react-ui/frontend/package.json

Path to vulnerable library: /default/dockerbuild/react-ui/frontend/node_modules/react-router/package.json

Dependency Hierarchy:

  • react-router-dom-6.23.0.tgz (Root Library)
    • react-router-6.23.0.tgz (Vulnerable Library)

Found in HEAD commit: 7d4ec1976bf34e113ff183b2bc7fa39af6136591

Found in base branch: main

Vulnerability Details

React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (). This is patched in versions 7.14.1 and 6.30.4.

Publish Date: 2026-06-02

URL: CVE-2026-40181

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-06-02

Fix Resolution (react-router): 6.30.4

Direct dependency fix Resolution (react-router-dom): 6.30.4

Step up your Open Source Security Game with Mend here

CVE-2025-68470

Vulnerable Library - react-router-6.23.0.tgz

Library home page: https://registry.npmjs.org/react-router/-/react-router-6.23.0.tgz

Path to dependency file: /default/dockerbuild/react-ui/frontend/package.json

Path to vulnerable library: /default/dockerbuild/react-ui/frontend/node_modules/react-router/package.json

Dependency Hierarchy:

  • react-router-dom-6.23.0.tgz (Root Library)
    • react-router-6.23.0.tgz (Vulnerable Library)

Found in HEAD commit: 7d4ec1976bf34e113ff183b2bc7fa39af6136591

Found in base branch: main

Vulnerability Details

React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.

Publish Date: 2026-01-10

URL: CVE-2025-68470

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9jcx-v3wj-wh4m

Release Date: 2026-01-08

Fix Resolution (react-router): 6.30.2

Direct dependency fix Resolution (react-router-dom): 6.30.2

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions