Bug 2484112 (CVE-2026-40181)

Summary: CVE-2026-40181 react-router: React Router: Open redirect vulnerability via specially crafted URLs
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abokovoy, abrianik, adudiak, alcohan, alizardo, amctagga, anjoseph, anpicker, anthomas, anujha, aoconnor, aschwart, asoldano, aszczucz, ataylor, bbaranow, bdettelb, bmaxwell, bniver, boliveir, bparees, brasmith, bstansbe, cdrage, cmah, cmyers, cochase, dbosanac, dbruscin, dhanak, dhanina, dlofthou, dnakabaa, doconnor, dranck, drichtar, drosa, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehelms, ehugonne, erezende, ewittman, fdeutsch, flucifre, fmariani, frenaud, ftrivino, ggainey, ggrzybek, gmalinko, gmeno, gotiwari, gparvin, groman, hasun, ibek, ibolton, istudens, ivassile, iweiss, janstey, jbalunas, jchui, jfula, jgrulich, jhe, jhorak, jkoehler, jlanda, jmatthew, jmontleo, jolong, jowilson, jprabhak, jraez, jreimann, jrokos, juwatts, jwong, jwon, kaycoth, kbempah, kshier, ktsao, kvanderr, lball, lchilton, lcouzens, lphiri, manissin, mbenjamin, mcarlett, mdessi, mhackett, mhess, mhulan, mnovotny, mosmerov, mposolda, mrizzi, msvehla, mvyas, mwringe, nboldt, ngough, nipatil, nmoumoul, nwallace, nyancey, oaljalju, omaciel, ometelka, oramraz, osousa, pahickey, pantinor, parichar, pberan, pcattana, pcreech, pdelbell, pesilva, pgaikwad, pjindal, pmackay, prwatson, psrna, ptisnovs, rchan, rhaigner, rhel-process-autobot, rjohnson, rkubis, rmartinc, rstancel, rstepani, rushinde, sausingh, sdawley, sdoran, sfeifer, simaishi, slucidi, smaestri, smallamp, smcdonal, smullick, solenoci, sostapov, sseago, ssilvert, stcannon, sthorger, stirabos, syedriko, tasato, tcunning, teagle, thason, thjenkin, tmalecek, tpopela, vdosoudi, vereddy, veshanka, vle, vmuzikar, vwilson, watson-tool-maintainers, wtam, xdharmai, yfang, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in React Router. This vulnerability allows a remote attacker to redirect users to an external, potentially malicious, website. This occurs when specially crafted URLs, containing paths starting with `//`, are passed to the redirect function, causing them to be misinterpreted as protocol-relative URLs. The severity of the impact depends on how the application validates redirects.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2489753, 2489757, 2489758, 2489754, 2489755, 2489756, 2489759, 2489760    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-02 20:02:19 UTC
React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4.

Comment 2 David Hanina 2026-06-03 06:49:04 UTC
As FreeIPA goes, we can safely waive this one, as we use Declarative mode, which is not affected