CVE-2025-68470— React Router has unexpected external redirect via untrusted paths

React Router has unexpected external redirect via untrusted paths

React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

指向未可信站点的URL重定向(开放重定向)

react-router 输入验证错误漏洞

react-router是Remix开源的一个 React 的声明式路由。 React Router 6.0.0版本至6.30.1版本和7.0.0版本至7.9.5版本存在输入验证错误漏洞，该漏洞源于特制路径，可能导致重定向攻击。

N/A

N/A