CVE-2026-22029: React Router vulnerable to XSS via Open Redirects

January 8, 2026 (updated January 11, 2026)

React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.

[!NOTE] This does not impact applications that use Declarative Mode (<BrowserRouter>).

References

github.com/advisories/GHSA-2w69-qvjg-hvjx
github.com/remix-run/react-router
github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
nvd.nist.gov/vuln/detail/CVE-2026-22029

Code Behaviors & Features

Detect and mitigate CVE-2026-22029 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →