CVE-2026-22029 is a cross-site scripting vulnerability categorized under CWE-79, found in react-router and @remix-run/router, popular routing libraries for React applications. The vulnerability occurs when open navigation redirects are generated from untrusted input within loaders or actions in Framework Mode, Data Mode, or unstable React Server Components (RSC) modes. These modes allow dynamic routing and data fetching, but if redirect paths incorporate untrusted content without proper sanitization or validation, they can produce unsafe URLs. When a user follows such a crafted redirect, malicious JavaScript embedded in the URL can execute in the client’s browser context, compromising confidentiality and integrity. Importantly, this issue does not affect applications using Declarative Mode (such as <BrowserRouter>), which handle routing differently and do not generate redirects in the vulnerable manner. The vulnerability affects @remix-run/router versions below 1.23.2 and react-router versions from 7.0.0 up to but not including 7.12.0. The patch released in versions 1.23.2 and 7.12.0 addresses this by properly neutralizing input used in redirect paths to prevent injection of executable scripts. The CVSS v3.1 base score is 8.0, reflecting high severity due to the potential for remote code execution in the browser without requiring privileges, though user interaction is necessary. No public exploits have been observed so far, but the widespread use of these libraries in modern web applications makes this a significant concern.

The primary impact of this vulnerability is the execution of arbitrary JavaScript in the context of affected web applications, leading to potential theft of sensitive user data such as authentication tokens, session cookies, or personal information. Attackers could also perform actions on behalf of users (session hijacking), deface web content, or redirect users to malicious sites. Since react-router and @remix-run/router are widely used in single-page applications (SPAs) built with React, many organizations across industries relying on these frameworks for client-side routing are at risk. The vulnerability affects confidentiality and integrity but not availability. Exploitation requires crafting malicious URLs and tricking users into clicking them, which could be achieved via phishing or malicious third-party content. The scope includes any web application using the vulnerable versions in Framework, Data, or unstable RSC modes with open redirect functionality that processes untrusted input. Enterprises with customer-facing React applications, SaaS providers, and web platforms using these libraries are particularly exposed. Without mitigation, attackers can leverage this flaw to compromise user trust and data security, potentially leading to regulatory and reputational damage.

To mitigate this vulnerability, organizations should immediately upgrade to @remix-run/router version 1.23.2 or later and react-router version 7.12.0 or later, where the issue is patched. Developers should audit their applications to identify any usage of open redirects or dynamic navigation redirects originating from untrusted sources, especially in Framework Mode, Data Mode, or unstable RSC modes. Avoid constructing redirect URLs from user input without strict validation and sanitization. Where possible, prefer Declarative Mode routing (e.g., <BrowserRouter>) which is not affected by this vulnerability. Implement Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS attacks. Conduct thorough code reviews and penetration testing focused on redirect handling and input validation. Educate developers on secure routing practices and the risks of open redirects. Monitor application logs and user reports for suspicious redirect behavior or unexpected script execution. If immediate upgrading is not feasible, consider temporarily disabling or restricting features that generate redirects from untrusted inputs.