Potential Security Vulnerability Detected
Repository: grafana/grafana
Commit: e126b33
Author: Hugo Häggmark
Date: 2026-06-16T10:04:45Z
Commit Message
[main] chore(deps): Upgrade react-router to 6.30.4 (#126534)
chore(deps): Upgrade react-router to 6.30.4
Pull Request
PR: #126534 - [main] chore(deps): Upgrade react-router to 6.30.4
Labels: type/chore, dependencies, javascript
Description:
What is this feature?
Upgrades the transitive react-router dependency from 6.30.3 to 6.30.4. This fixes CVE-2026-40181, an open redirect via the redirect() API on the 6.x line.
Why do we need this feature?
So we don't ship a react-router with a known open-redirect vulnerability.
Who is this feature for?
Grafana maintainers
Which issue(s) does this PR fix?:
<!--
- Automatically closes linked issue when the Pull Request is merged.
Usage: "Fixes #<issue number>"...
Analysis
Vulnerability Type: Open Redirect
Severity: Medium
Description
This commit upgrades the react-router dependency to version 6.30.4, which patches a known open redirect vulnerability (CVE-2026-40181) in the redirect() API. The vulnerability allowed attackers to craft malicious URLs that redirected users to arbitrary external sites, facilitating phishing and other attacks. The patch prevents unvalidated redirection targets, mitigating this exploit.
Affected Code
The vulnerable code is in react-router@6.30.3 and earlier affecting the redirect() API; direct code snippets aren't provided here but the issue stems from redirect() accepting URLs without proper validation.
Proof of Concept
An attacker crafts a URL like `https://victim-site.com/some-path?redirect=https://malicious-site.com` which, due to the open redirect vulnerability in react-router's redirect(), causes the application to redirect the user to https://malicious-site.com without validation, enabling phishing or session hijacking.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-06-16T12:01:15.222Z
Potential Security Vulnerability Detected
Repository: grafana/grafana
Commit: e126b33
Author: Hugo Häggmark
Date: 2026-06-16T10:04:45Z
Commit Message
Pull Request
PR: #126534 - [main] chore(deps): Upgrade react-router to 6.30.4
Labels: type/chore, dependencies, javascript
Description:
What is this feature?
Upgrades the transitive
react-routerdependency from6.30.3to6.30.4. This fixesCVE-2026-40181, an open redirect via theredirect()API on the 6.x line.Why do we need this feature?
So we don't ship a
react-routerwith a known open-redirect vulnerability.Who is this feature for?
Grafana maintainers
Which issue(s) does this PR fix?:
<!--
Usage: "Fixes #<issue number>"...
Analysis
Vulnerability Type: Open Redirect
Severity: Medium
Description
This commit upgrades the react-router dependency to version 6.30.4, which patches a known open redirect vulnerability (CVE-2026-40181) in the redirect() API. The vulnerability allowed attackers to craft malicious URLs that redirected users to arbitrary external sites, facilitating phishing and other attacks. The patch prevents unvalidated redirection targets, mitigating this exploit.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-06-16T12:01:15.222Z