8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-22029

CVE-2026-22029: React Router vulnerable to XSS via Open Redirects

React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-22029

CVE-2026-22029:

8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
react-router	npm	>= 7.0.0, <= 7.11.0	7.12.0
@remix-run/router	npm	<= 1.23.1	1.23.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core of the vulnerability lies in the normalizeRedirectLocation function within both the @remix-run/router and react-router packages. This function was responsible for processing redirect URLs from loaders and actions. Crucially, it lacked validation for the URL's protocol. This oversight allowed for the injection of javascript: URLs, which, when returned in a redirect response, would be executed by the browser, leading to a cross-site scripting (XSS) vulnerability. The patch addresses this by introducing a blocklist of unsafe protocols (including javascript:, data:, file:, etc.) and checking the redirect URL against this list. Any URL using a blocked protocol will now throw an error, preventing the malicious redirect.

In addition to the primary XSS fix, the patches also introduced Cross-Site Request Forgery (CSRF) protection as a defense-in-depth measure. The new throwIfPotentialCSRFAttack function validates the Origin header of incoming POST requests against a configurable list of allowed origins. This check was added to several functions that handle server-side requests and actions, such as handleDocumentRequest, singleFetchAction, and matchRSCServerRequest, hardening them against CSRF attacks where an attacker could trick a user into performing unintended actions.

Vulnerable functions

normalizeRedirectLocation

packages/router/router.ts

The function `normalizeRedirectLocation` in `@remix-run/router` is vulnerable to an open redirect leading to XSS. Before the patch, this function did not validate the protocol of the redirect URL. An attacker could craft a redirect URL with a `javascript:` scheme, which, when processed by the router and followed by the browser, would execute arbitrary JavaScript in the context of the user's session. The patch introduces a blocklist of invalid protocols, including `javascript:`, to prevent this.

normalizeRedirectLocation

packages/react-router/lib/router/router.ts

Similar to its counterpart in `@remix-run/router`, the `normalizeRedirectLocation` function in `react-router` was also vulnerable to open redirect XSS. It failed to sanitize the redirect URL, allowing for the use of malicious protocols like `javascript:`. The fix is identical, involving the addition of a protocol blocklist to ensure that only safe redirect targets are allowed.

handleDocumentRequest

packages/react-router/lib/server-runtime/server.ts

The `handleDocumentRequest` function was vulnerable as it handled POST requests without verifying the origin of the request. This could allow for Cross-Site Request Forgery (CSRF) attacks. The patch adds a call to `throwIfPotentialCSRFAttack` to validate the request's origin against a list of allowed origins, mitigating the CSRF risk.

singleFetchAction

packages/react-router/lib/server-runtime/single-fetch.ts

The `singleFetchAction` function was also found to be vulnerable to CSRF attacks. It processed action requests without checking the request's origin. The fix introduces a call to `throwIfPotentialCSRFAttack`, which ensures that the request originates from a trusted domain, thus preventing CSRF.

matchRSCServerRequest

packages/react-router/lib/rsc/server.rsc.ts

The `matchRSCServerRequest` function, when handling server actions (POST requests), did not perform origin checks, making it susceptible to CSRF. The patch addresses this by calling `throwIfPotentialCSRFAttack` to validate the origin of the request before processing the action.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-22029: React Router vulnerable to XSS via Open Redirects

CVE-2026-22029:

8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2026-22029: React Router vulnerable to XSS via Open Redirects

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8

8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI