CVE-2025-61686

Name of the Vulnerable Software and Affected Versions React Router versions 7.0.0 through 7.9.3 @remix-run/deno versions prior to 2.17.2 @remix-run/node versions prior to 2.17.2

Description The issue concerns a path traversal flaw in React Router and Remix when using the createFileSessionStorage() function with unsigned cookies. An attacker can manipulate the session cookie to read or write session files outside the intended directory. The success of the attack depends on the web server process's permissions to access those files. While read files cannot be directly returned to the attacker, session file reads are possible if the file matches the expected session file format, potentially populating the server-side session with data not directly returned to the attacker unless the application logic returns specific session information.

Recommendations Update @react-router/node to version 7.9.4 or later. Update @remix-run/deno to version 2.17.2 or later. Update @remix-run/node to version 2.17.2 or later. Avoid using unsigned cookies as a mitigation.