CVE-2026-22029 is a cross-site scripting (XSS) vulnerability classified under CWE-79 that impacts the popular React Router library and its remix-run variant. React Router is widely used for client-side routing in React single-page applications (SPAs). The vulnerability specifically affects versions of @remix-run/router prior to 1.23.2 and react-router versions from 7.0.0 up to but not including 7.12.0. The root cause lies in the improper neutralization of input during web page generation when open navigation redirects are created from loaders or actions in Framework Mode, Data Mode, or unstable React Server Components (RSC) modes. These modes allow dynamic routing and data fetching, but if redirect paths are constructed from untrusted sources or via open redirects, unsafe URLs can be generated. This leads to unintended JavaScript execution on the client side, enabling attackers to perform XSS attacks. Notably, applications using Declarative Mode (such as <BrowserRouter>) are not affected. The vulnerability has a CVSS v3.1 score of 8.0, indicating high severity, with network attack vector, high attack complexity, no privileges required, and requiring user interaction. The scope is changed, affecting confidentiality and integrity but not availability. No known exploits have been reported in the wild, but the risk remains significant for vulnerable applications. The issue was publicly disclosed on January 10, 2026, and patches are available in @remix-run/router 1.23.2 and react-router 7.12.0.

For European organizations, this vulnerability poses a considerable risk to web applications built with affected versions of React Router or @remix-run/router. Successful exploitation can lead to the execution of arbitrary JavaScript in the context of the victim's browser, potentially resulting in theft of sensitive data such as authentication tokens, session cookies, or personal information, thereby compromising confidentiality. Integrity can also be affected if attackers manipulate client-side scripts or UI elements. The vulnerability does not impact availability directly but can facilitate further attacks leading to broader compromise. Organizations relying on dynamic routing modes that construct redirects from untrusted inputs are particularly at risk. Given the widespread adoption of React in Europe’s digital economy, including e-commerce, finance, and public sector web applications, the potential impact is significant. Additionally, regulatory frameworks like GDPR impose strict data protection requirements, increasing the consequences of data breaches stemming from such vulnerabilities.

European organizations should immediately audit their web applications to identify usage of affected versions of react-router (7.0.0 to 7.11.0) and @remix-run/router (prior to 1.23.2). The primary mitigation is to upgrade to react-router 7.12.0 or later and @remix-run/router 1.23.2 or later, where the vulnerability is patched. Developers should review routing logic to avoid creating redirect paths from untrusted input or open redirects, especially in Framework Mode, Data Mode, or unstable RSC modes. Implement strict input validation and sanitization on any user-supplied data used in redirects. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Additionally, consider using Declarative Mode (<BrowserRouter>) where feasible, as it is not affected by this vulnerability. Conduct thorough security testing, including automated scanning and manual code review, focusing on routing and redirect mechanisms. Finally, monitor security advisories for any emerging exploit reports and apply patches promptly.