What is GHSA-2j2x-hqr9-3h42?

GHSA-2j2x-hqr9-3h42 is a security advisory published by GitHub Security Advisories with Medium severity. React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

Which CVE IDs does GHSA-2j2x-hqr9-3h42 cover?

GHSA-2j2x-hqr9-3h42 covers the following CVE IDs: CVE-2026-40181. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-2j2x-hqr9-3h42?

GHSA-2j2x-hqr9-3h42 affects 2 products, including: npm/react-router:\u003e= 7.0.0, \u003c 7.14.1; npm/react-router:\u003e= 6.7.0, \u003c 6.30.4.

GHSA-2j2x-hqr9-3h42Medium

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

Vendor

GitHub Security Advisories

Published

June 3, 2026

Last Modified

June 3, 2026

🔗 CVE IDs covered (1)

CVE-2026-40181 →

📋 Description

Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect.

[!NOTE] This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>)

🎯 Affected products2

npm/react-router:>= 7.0.0, < 7.14.1
npm/react-router:>= 6.7.0, < 6.30.4

🔗 References (3)

https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42
https://nvd.nist.gov/vuln/detail/CVE-2026-40181
https://github.com/advisories/GHSA-2j2x-hqr9-3h42