React Router, Open Redirect (CWE‑601), CVE‑2026‑40181 (Moderate) -DC-Jun2026-181

By /

Listen to this Post

CVE‑2026‑40181 – React Router’s redirect function in versions 7.0.0–7.14.0 and 6.7.0–6.30.3 incorrectly interprets a relative path that begins with a double‑slash (//) as a protocol‑relative URL. This happens because the function does not sanitize the leading `//` before constructing the destination location.
In web browsers, a string like `//evil.com` is not treated as a relative path but as an absolute URL that inherits the current page’s protocol (e.g., https://evil.com`). An attacker who can control the value passed to `redirect()` can supply//attacker-controlled.com. Since the redirect function sees only the path part, it faithfully builds a new Location header that points to the external domain.
The consequence is an open redirect (CWE‑601): the user is silently sent to a malicious website without any validation. This can be used for phishing, credential theft, or to bypass same‑origin restrictions that the application intended to enforce. The vulnerability is triggered only when the redirect target originates from an untrusted source and the application does not perform additional checks on the destination. Applications that exclusively use declarative routing () are not affected.
The issue is patched in versions 7.14.1 and 6.30.4. The CVSS score is 6.6 (Moderate).
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: `React Router`
Version: `7.0.0–7.14.0 / 6.7.0–6.30.3`
Vulnerability: `Open redirect`
Severity: `Moderate (6.6)`
date: `2026‑06‑02`
<h2 style="color: blue;">Prediction:2026‑06‑03 (patched)</h2>
<h2 style="color: blue;">What Undercode Say:</h2>

Check your current React Router version
npm list react-router
If vulnerable, upgrade immediately
npm install [email protected] for v7 apps
npm install [email protected] for v6 apps
Alternatively, scan for the vulnerable pattern in your codebase
grep -r "redirect(" --include=".js" --include=".ts" --include=".jsx" --include=".tsx" . | grep "//"
A simple check to block double‑slash redirects in a middleware
if (redirectPath && redirectPath.startsWith('//')) {
throw new Error('Blocked protocol-relative redirect');
}

// Vulnerable code example – do NOT use
import { redirect } from 'react-router';
export function loader() {
const url = new URL(request.url);
const dest = url.searchParams.get('redirect');
return redirect(dest); // dest could be "//evil.com"
}

// Safe validation before redirect
function safeRedirect(dest, defaultPath = '/') {
if (!dest || dest.startsWith('//') || dest.startsWith('http://') || dest.startsWith('https://')) {
return defaultPath;
}
return dest;
}

<h2 style="color: blue;">Exploit:</h2>
1. Identify an application endpoint that calls `redirect()` with a user‑controllable parameter (e.g.,?next=…).
2. Craft a malicious link using a double‑slash payload:https://victim.com/logout?redirect=//attacker.com/phish`
3. Trick the victim into clicking the link (e.g., via email or a fake login page).
4. The React Router redirect function preserves the `//` prefix and the browser interprets it as a protocol‑relative URL, sending the user to https://attacker.com/phish`.
5. The attacker can now host a fake login page that steals credentials or delivers malware.
<h2 style="color: blue;">Protection:</h2>
- Upgrade immediately to version 7.14.1 (v7) or 6.30.4 (v6) – this is the only complete fix.
- If you cannot upgrade, reject any redirect path that begins with `//` or contains a protocol scheme (http://`, https://`,javascript:).
- Implement a strict whitelist of allowed redirect destinations (e.g., only relative paths or a fixed set of domains).
- Use a custom `safeRedirect` wrapper that validates all inputs before passing them to the library function.
- Set a Content Security Policy (CSP) that restricts form actions and navigation targets (form-action ‘self’).
- Note: Declarative mode (`) is not affected, but if you use programmatic redirects, the above protections apply.

Impact:

  • Phishing attacks – attackers can impersonate the legitimate site and harvest user credentials.
  • Bypass of same‑origin restrictions – the open redirect can be chained with other vulnerabilities (e.g., XSS, CSRF) to increase their impact.
  • Loss of user trust – victims redirected to malicious pages may believe the original site is compromised.
  • Potential for further exploitation – if the application uses a redirect‑based authentication flow, an attacker could steal OAuth tokens or session cookies by redirecting to a controlled domain that mirrors the victim’s session.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top