Bug 2428417 (CVE-2025-68470) - CVE-2025-68470 react-router: React Router unexpected external redirect
Summary: CVE-2025-68470 react-router: React Router unexpected external redirect
Keywords:
Status: NEW
Alias: CVE-2025-68470
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2428786 2428788 2428790 2428791 2428794 2428795 2428787 2428789 2428792 2428793
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-10 04:01 UTC by OSIDB Bzimport
Modified: 2026-01-12 20:44 UTC (History)
155 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-10 04:01:52 UTC 
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Note You need to log in before you can comment on or make changes to this bug.