CVE-2025-68470
Last modified
CVE-2025-68470 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. EPSS estimates a 0.20% chance of exploitation in the next 30 days.
Description
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Shopify | React-Router | >= 6.0.0, <= 6.30.1 |
| Shopify | React-Router | >= 7.0.0, <= 7.9.5 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-68470?
How severe is CVE-2025-68470?
How do I fix CVE-2025-68470?
Are you affected by CVE-2025-68470?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST