cbcvebase.
CVE-2025-31137
published 2025-04-01

CVE-2025-31137: React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all…

PriorityP343high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
1.13%
62.3th percentile
React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.

Affected

4 ranges
VendorProductVersion rangeFixed in
react-routerexpress>= 7.0.0 < 7.4.17.4.1
remix-runexpress>= 2.11.1 < 2.16.32.16.3
remix-runreact-router
remix-runreact-router

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.