CVE-2026-22029 is a cross-site scripting vulnerability classified under CWE-79, found in react-router versions 7.0.0 through 7.11.0 and @remix-run/router versions prior to 1.23.2. React Router is a widely used routing library for React applications, enabling single-page application (SPA) navigation. The vulnerability manifests when open navigation redirects are generated from untrusted data within loaders or actions in Framework Mode, Data Mode, or the unstable React Server Components (RSC) modes. These modes allow dynamic URL generation for navigation. If the redirect paths are constructed from untrusted input without proper sanitization or validation, unsafe URLs can be introduced. This leads to unintended JavaScript execution on the client side, effectively an XSS attack vector. Notably, applications using Declarative Mode (such as <BrowserRouter>) are not affected, as this mode does not process redirects in the vulnerable manner. The vulnerability requires user interaction, such as clicking a crafted link or being redirected by the application. The CVSS v3.1 base score is 8.0, indicating high severity, with network attack vector, high attack complexity, no privileges required, user interaction needed, and a scope change affecting confidentiality and integrity. The vulnerability has been addressed in react-router 7.12.0 and @remix-run/router 1.23.2 by improving input handling and sanitization of redirect URLs. No public exploits have been reported yet, but the widespread use of react-router in web applications makes this a significant risk if unpatched.

For European organizations, this vulnerability poses a significant risk to web applications built with affected versions of react-router or @remix-run/router, especially those that dynamically generate redirect URLs from user input or other untrusted sources. Successful exploitation can lead to client-side code execution, enabling attackers to steal session cookies, perform actions on behalf of users, or deliver malicious payloads. This can compromise user confidentiality and integrity of data, damage organizational reputation, and potentially lead to regulatory non-compliance under GDPR if personal data is exposed. The impact is heightened for sectors with high-value targets such as finance, healthcare, and government services that rely on React-based SPAs. Since exploitation requires user interaction, phishing or social engineering campaigns could be used to lure victims into triggering the vulnerability. The vulnerability does not affect server availability but can disrupt trust and user safety. Organizations with public-facing web applications using affected versions should prioritize patching to prevent exploitation.

1. Upgrade react-router to version 7.12.0 or later and @remix-run/router to version 1.23.2 or later immediately to apply the official patches addressing this vulnerability. 2. Audit all redirect URL generation code to ensure no untrusted input is used directly in navigation redirects without proper validation and sanitization. 3. Implement strict allowlists for redirect destinations to prevent open redirect scenarios. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 5. Educate developers on secure coding practices related to URL handling and React Router usage modes, emphasizing the risks of Framework, Data, and RSC modes when handling untrusted input. 6. Monitor web application logs for suspicious redirect patterns or unusual user navigation behavior that could indicate exploitation attempts. 7. Conduct regular security testing, including automated scanning and manual penetration testing focused on client-side injection vectors. 8. If immediate patching is not feasible, consider temporarily disabling or restricting features that generate redirects from untrusted sources until updates can be applied.