PT-2025-14377 · Remix+2 · Remix+2
Published
2025-04-01
·
Updated
2025-06-16
·
CVE-2025-31137
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
React Router versions 7.0.0 through 7.4.0
Remix versions 2.11.1 and later, prior to 2.16.3
Description
The issue allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This can potentially cause cache poisoning or bypassing Web Application Firewalls. Over 11,000 services are potentially affected.
Recommendations
Upgrade to React Router 7.4.1 to fix the URL manipulation issue via Host/X-Forwarded-Host headers.
Upgrade to Remix 2.16.3 to fix the URL manipulation issue via Host/X-Forwarded-Host headers.
As a temporary workaround, consider restricting access to the Express adapter until a patch is applied.
Exploit
Fix
DoS
HTTP Request/Response Smuggling
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Express
React Router
Remix