CVE-2026-22029 Overview
A Cross-Site Scripting (XSS) vulnerability has been discovered in React Router, a popular routing library for React applications. The vulnerability exists in @remix-run/router versions prior to 1.23.2 and react-router versions 7.0.0 through 7.11.0. When using Framework Mode, Data Mode, or unstable RSC modes, open navigation redirects originating from loaders or actions can result in unsafe URLs that cause unintended JavaScript execution on the client.
Critical Impact
Attackers can exploit open redirect functionality to execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to session hijacking, credential theft, or malicious actions performed on behalf of authenticated users.
Affected Products
- @remix-run/router versions prior to 1.23.2
- react-router versions 7.0.0 through 7.11.0
- Remix v1/v2 applications using Framework Mode, Data Mode, or unstable RSC modes
Discovery Timeline
- 2026-01-10 - CVE-2026-22029 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-22029
Vulnerability Analysis
This vulnerability falls under CWE-79 (Cross-Site Scripting) and stems from improper validation of redirect URLs within React Router's navigation handling. When applications create redirect paths from untrusted content or implement open redirects in loaders or actions, the library fails to adequately sanitize these URLs before executing client-side navigation.
The attack requires user interaction and operates across security boundaries, enabling an attacker to compromise both confidentiality and integrity of the affected application. The vulnerability specifically affects applications using Framework Mode, Data Mode, or the unstable RSC (React Server Components) modes—Declarative Mode using <BrowserRouter> is not impacted.
Root Cause
The root cause lies in insufficient URL validation within the router's redirect handling mechanism. When a loader or action returns a redirect response, the router processes the destination URL without properly sanitizing or validating it against dangerous URL schemes such as javascript:. This allows specially crafted URLs to bypass normal navigation controls and execute arbitrary JavaScript code in the user's browser context.
Attack Vector
The attack vector is network-based and requires the following conditions:
- The target application must be using React Router in Framework Mode, Data Mode, or unstable RSC modes
- The application must create redirect paths from untrusted user input or implement an open redirect vulnerability
- An attacker crafts a malicious URL containing JavaScript code
- A victim user must click on or be redirected to the malicious URL
- The JavaScript payload executes within the context of the victim's authenticated session
The vulnerability is exploited by injecting a malicious redirect URL through a loader or action that processes user-controlled input. When the router processes this redirect, it fails to detect the dangerous URL scheme and executes the embedded JavaScript code.
Detection Methods for CVE-2026-22029
Indicators of Compromise
- Unusual redirect URLs in application logs containing javascript: protocol schemes
- Unexpected client-side script execution reported by Content Security Policy violations
- User reports of suspicious behavior after clicking links within the application
- Network traffic showing encoded or obfuscated JavaScript payloads in URL parameters
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor application logs for redirect attempts using non-HTTP(S) URL schemes
- Deploy web application firewalls (WAF) with rules to detect URL-based XSS patterns
- Review code for loader and action functions that construct redirects from user input
Monitoring Recommendations
- Enable verbose logging for all redirect operations in React Router applications
- Set up alerts for CSP violation reports indicating blocked script execution
- Monitor for unusual patterns in URL query parameters across application endpoints
- Implement client-side error monitoring to capture unexpected JavaScript errors
How to Mitigate CVE-2026-22029
Immediate Actions Required
- Upgrade @remix-run/router to version 1.23.2 or later immediately
- Upgrade react-router to version 7.12.0 or later
- Audit all loaders and actions that perform redirects to ensure they do not use untrusted input
- Implement URL allowlisting for any redirect destinations in your application
Patch Information
The vulnerability has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0. Organizations should upgrade to these versions or later as soon as possible. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Validate all redirect URLs server-side before returning them from loaders or actions
- Implement an allowlist of permitted redirect destinations
- Use relative URLs for internal redirects instead of absolute URLs
- Consider switching to Declarative Mode (<BrowserRouter>) if Framework Mode features are not required
# Upgrade react-router to patched version
npm update react-router@7.12.0
# Upgrade @remix-run/router to patched version
npm update @remix-run/router@1.23.2
# Verify installed versions
npm list react-router @remix-run/router
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
