CVE-2026-40181: Open Redirect Vulnerability in React Router

The React Router framework is a core component for state-based client-side and server-side navigation in modern React applications. Beginning in version 6.4, React Router introduced Data Routers, which enabled powerful features like data loaders, actions, and programmatic navigation utilities such as the redirect function. This utility allows developers to return a response that instructs the router to navigate to a new path or external URL.

CVE-2026-40181 identifies an open redirect vulnerability within this redirection processing layer. The flaw arises from the way React Router evaluates and processes relative paths during programmatic navigation. When an application passes a user-controlled string that begins with double slashes (such as //attacker.com) to the redirect function, the routing engine fails to neutralize it as an external protocol-relative link.

As a consequence, the application inadvertently facilitates an open redirect. Standard input-validation checks designed by developers to ensure redirection targets are local (for example, verifying if a URL begins with a single slash /) are bypassed because a double-slash string satisfies the check but is processed by browsers as a protocol-relative external domain.

To understand the root cause, one must examine how modern web browsers parse and resolve relative URLs. Under the URL specification, any string that begins with two forward slashes (//) followed by a domain name is treated as a protocol-relative URL. When the browser attempts to fetch or navigate to this target, it automatically inherits the active protocol (either http: or https:) of the current origin.

React Router's internal transition system distinguishes between internal application navigation and hard external document navigation. When a loader or action returns a redirect response, the client-side router intercepts the Location header. If the path is classified as local, React Router uses its history mechanism to navigate within the single-page application context. However, if the destination is recognized as external, the application falls back to standard browser-level redirection using the window.location.assign() interface.

The core defect in React Router's architecture is the absence of verification for protocol-relative formats inside the redirect validation sequence. The library treated strings starting with two slashes as relative route paths rather than absolute external URLs. Consequently, when client-side execution processes the redirect payload or the browser processes the raw server-side 302 response, the target address is interpreted relative to the browser protocol rather than the host domain, leading directly to external redirection.

An examination of the vulnerable pattern highlights how naive checking logic allows attackers to bypass security boundaries. Consider the following common logic used by developers to validate user-controlled redirect targets before passing them to the framework:

// Vulnerable Application Code Pattern
import { redirect } from "react-router";
 
export async function loader({ request }) {
  const url = new URL(request.url);
  const target = url.searchParams.get("redirectTo");
  
  // The developer attempts to restrict redirects to internal paths
  if (target && target.startsWith("/")) {
    // If target is "//attacker.com", it starts with "/" and is allowed
    return redirect(target);
  }
  return redirect("/home");
}

In the vulnerable versions of React Router, the framework's internal transition manager handles the redirect response. It extracts the location value and executes the window navigation without checking if the relative-looking path is actually a protocol-relative URL:

// Conceptual representation of vulnerable library transition handler
function handleRedirect(locationValue) {
  if (isExternalUrl(locationValue)) {
    // Safely handles absolute URLs starting with http:// or https://
    window.location.assign(locationValue);
  } else {
    // Treats "//attacker.com" as an internal path but window.location.assign()
    // will resolve it as a protocol-relative external URL
    window.location.assign(locationValue);
  }
}

The official patch addresses this issue by updating the internal path-parsing and validation utilities within React Router. The framework now explicitly identifies and rejects or sanitizes strings starting with double slashes (//) or backslashes (/\\) during redirect resolution. This prevents the browser from treating a client-side navigation state as an external origin transition.

Exploiting this vulnerability does not require authenticated status or specialized execution privileges. The attacker must first locate an application route that exposes a query parameter or form field which is dynamically parsed and supplied to the React Router redirect utility. Common targets include login redirection parameters, post-action feedback flows, or locale-switching links.

The attacker constructs a link containing a double-slash payload targeting a malicious external domain. For example: https://trusted-app.com/login?next=//malicious-domain.com/phish-page

When the victim clicks the link and performs the action (e.g., successful authentication), the backend loader or action extracts the next value. Because the string begins with a slash, it bypasses basic checks and is passed to redirect("//malicious-domain.com/phish-page"). The server returns an HTTP 302 with Location: //malicious-domain.com/phish-page, or the client-side single-page app framework transitions via window.location.assign("//malicious-domain.com/phish-page"). The browser resolves this protocol-relative destination and loads the malicious site.

While open redirect vulnerabilities do not directly compromise server-side assets or database confidentiality, their impact on user-session integrity and brand reputation is substantial. They are primary mechanisms used in spearphishing campaigns to bypass spam filters and security boundaries. Because the initial URL points to a legitimate, trusted domain, security gateways and users are highly likely to trust the link.

Once the browser processes the protocol-relative transition, the victim is transferred to an external domain under the attacker's absolute control. Attackers commonly construct realistic phishing templates that mimic the host application's login UI, tricking users into re-authenticating and yielding their credentials or session tokens.

In React Router applications that leverage server-side rendering (SSR), this vulnerability also allows attackers to manipulate response headers. This can interfere with intermediate caching proxies or Content Delivery Networks (CDNs), which might cache the 302 redirect response with the malicious target location, impacting subsequent visitors of the legitimate route.

The primary remedy for CVE-2026-40181 is to upgrade the react-router and react-router-dom packages to secure releases. For projects using the v6 release branch, upgrade to version 6.30.4 or higher. For teams utilizing the v7 framework layer (including newer Remix applications), deploy version 7.14.1 or newer.

If immediate library upgrades are restricted due to release freezes or compatibility conflicts, developers must implement robust manual validation on all redirection values. Naive checks using .startsWith("/") must be replaced with strict validation logic that explicitly denies double slashes and backslashes.

// Recommended mitigation helper
export function safeRedirect(url: string | null, fallback: string = "/"): Response {
  if (!url) {
    return redirect(fallback);
  }
  
  // Validate that path is relative and does not contain protocol-relative formats
  const isRelative = url.startsWith("/") && !url.startsWith("//") && !url.startsWith("/\\");
  
  if (isRelative) {
    return redirect(url);
  }
  
  return redirect(fallback);
}

Additionally, deploying a Content Security Policy (CSP) with a restricted form-action and auditing any DOM navigation vectors provides defense-in-depth, minimizing the risk of unauthorized external redirections across the organization's web applications.