6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68470

CVE-2025-68470: React Router has unexpected external redirect via untrusted paths

React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68470

CVE-2025-68470:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
react-router	npm	>= 6.0.0, < 6.30.2	6.30.2
react-router	npm	>= 7.0.0, < 7.9.6	7.9.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an open redirect caused by improper handling of paths starting with // in the resolvePath function. The provided patch for version 6.x of react-router shows that the logic in resolvePath was changed to normalize double slashes in paths. The vulnerable code snippet is the original implementation of resolvePath which does not handle this case, allowing a path like //google.com to be passed through, which the browser then interprets as an external URL. The fix involves replacing // with / to treat it as a root-relative path within the application.

Vulnerable functions

resolvePath

packages/router/utils.ts

The `resolvePath` function is vulnerable to an open redirect. If `toPathname` is a URL starting with `//`, such as `//google.com`, the condition `toPathname.startsWith("/")` evaluates to true. This causes the function to return the URL as is, which is then interpreted by the browser as a protocol-relative URL, leading to a redirection to an external site. The vulnerability is triggered by passing untrusted input to navigation components that use this function.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68470: React Router has unexpected external redirect via untrusted paths

CVE-2025-68470:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

6.5

6.5

CVE-2025-68470: React Router has unexpected external redirect via untrusted paths

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI