CVE-2026-40181 Overview
CVE-2026-40181 is an open redirect vulnerability [CWE-601] affecting React Router, a popular routing library for React applications. The flaw exists in the redirect function, where URLs starting with // are reinterpreted as protocol-relative URLs. Attackers can craft input that causes the application to redirect users to attacker-controlled external domains.
The issue affects React Router versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3. Applications using Declarative Mode with <BrowserRouter> are not affected. Patches are available in versions 7.14.1 and 6.30.4.
Critical Impact
Attackers can redirect authenticated users to phishing domains or malicious endpoints, undermining user trust and enabling credential theft when applications fail to validate redirect targets.
Affected Products
- React Router versions 7.0.0 through 7.14.0
- React Router versions 6.7.0 through 6.30.3
- Applications using the redirect function in Framework or Data modes
Discovery Timeline
- 2026-06-02 - CVE-2026-40181 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-40181
Vulnerability Analysis
The vulnerability stems from how React Router's redirect helper processes path values. When a path begins with //, browsers and URL parsers interpret it as a protocol-relative URL rather than a same-origin path. React Router did not normalize or reject such inputs before issuing the redirect response.
An attacker can supply a path such as //evil.example.com/login through query parameters, form submissions, or other user-controlled inputs that flow into redirect. The application then issues an HTTP redirect to the external host, sending the victim away from the trusted site. The impact depends on whether the calling application validates redirect targets before invoking the function.
Applications using Declarative Mode through <BrowserRouter> do not invoke the affected server-side redirect function and are not vulnerable. Framework Mode and Data Mode applications that pass untrusted input to redirect are the primary attack surface.
Root Cause
The redirect function in affected versions does not distinguish between same-origin paths and protocol-relative URLs. Strings beginning with // are valid protocol-relative URLs per RFC 3986 and resolve to external hosts when used in Location headers. Missing input normalization allowed these strings to flow through unchanged.
Attack Vector
The attacker crafts a URL such as https://victim-app.example/login?returnTo=//attacker.example/phish. The application reads returnTo and passes it to redirect(returnTo). The browser receives a 302 response with Location: //attacker.example/phish and navigates to the attacker domain while preserving the original protocol. This pattern is commonly used in phishing campaigns that mimic post-login redirects to harvest credentials or session tokens.
No verified public exploit code is available. See the GitHub Security Advisory for additional technical detail.
Detection Methods for CVE-2026-40181
Indicators of Compromise
- HTTP responses from the application containing Location headers with values beginning with // followed by an external hostname.
- Inbound requests with query or form parameters containing values starting with // targeting redirect endpoints such as returnTo, next, redirect, or url.
- Web server access logs showing redirect responses immediately followed by user traffic to unfamiliar external domains.
Detection Strategies
- Audit application source for calls to redirect() from react-router and react-router-dom and verify input is validated before being passed.
- Run software composition analysis to identify deployed versions of react-router and react-router-dom in the vulnerable ranges.
- Inspect reverse proxy or CDN logs for 3xx responses with protocol-relative Location headers leaving the trusted origin.
Monitoring Recommendations
- Alert on outbound Location headers whose hostname does not match the application's allowlist of trusted domains.
- Monitor authentication flows for redirects that terminate on third-party domains shortly after login.
- Add web application firewall rules to flag request parameters containing // or URL-encoded variants such as %2F%2F in redirect-related fields.
How to Mitigate CVE-2026-40181
Immediate Actions Required
- Upgrade react-router and react-router-dom to version 7.14.1 or 6.30.4 depending on your major version line.
- Audit every call to the redirect function and confirm that inputs originate from trusted sources or are validated against an allowlist.
- Reject or normalize any redirect target that begins with //, http://, or https:// and does not match the application origin.
Patch Information
The maintainers released fixed versions 7.14.1 and 6.30.4. Details are documented in the React Router GHSA-2j2x-hqr9-3h42 advisory. Update package manifests and rebuild affected applications.
Workarounds
- Validate redirect targets server-side by parsing them with the URL constructor against the application origin and rejecting any host mismatch.
- Strip leading slashes and other URL scheme indicators from user-supplied redirect values before passing them to redirect.
- Switch routing to Declarative Mode using <BrowserRouter> where feasible, as that mode is not affected.
# Upgrade React Router to a patched version
npm install react-router@7.14.1 react-router-dom@7.14.1
# or for the 6.x line
npm install react-router@6.30.4 react-router-dom@6.30.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
