PT-2025-44571 · Remix Run · React Router

Published

2025-10-30

·

Updated

2026-01-13

·

CVE-2025-61686

CVSS v3.1
9.1
VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Name of the Vulnerable Software and Affected Versions React Router versions 7.0.0 through 7.9.3 @remix-run/deno versions prior to 2.17.2 @remix-run/node versions prior to 2.17.2
Description The software contains a flaw in the 
createFileSessionStorage()
function when used with unsigned cookies. This allows attackers to manipulate session cookies to perform directory traversal, potentially enabling read and write access to files outside the intended session file directory. The success of an attack depends on the web server process's permissions. While read files cannot be directly returned to the attacker, session file reads may succeed if the file matches the expected session file format, potentially populating the server-side session with data.
Recommendations React Router versions 7.0.0 through 7.9.3: Upgrade to version 7.9.4 or later. @remix-run/deno versions prior to 2.17.2: Upgrade to version 2.17.2 or later. @remix-run/node versions prior to 2.17.2: Upgrade to version 2.17.2 or later.

Fix

DoS

Path traversal

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2025-61686

Affected Products

React Router