CVE-2025-61686
published 2026-01-10CVE-2025-61686: React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to…
PriorityP267critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
16.10%
96.5th percentile
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| react-router | node | >= 7.0.0 < 7.9.4 | 7.9.4 |
| remix-run | deno | >= 0 < 2.17.2 | 2.17.2 |
| remix-run | node | >= 0 < 2.17.2 | 2.17.2 |
| remix-run | react-router | — | — |
| remix-run | react-router | — | — |
| remix-run | react-router | — | — |
| shopify | react-router_node | >= 7.0.0 < 7.9.4 | 7.9.4 |
| shopify | remix-run_deno | < 2.17.2 | 2.17.2 |
| shopify | remix-run_node | < 2.17.2 | 2.17.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is exploitable only when createFileSessionStorage() is used with an unsigned cookie — detect absence of cookie signing in React Router / Remix v2 session storage configuration ↗
- →Attack vector is cookie manipulation — monitor for session cookies containing path traversal sequences (e.g., '../') being submitted to applications using @react-router/node or @remix-run/node ↗
- ·Exploitation requires the application to use createFileSessionStorage() with an UNSIGNED cookie; signed cookies are not vulnerable ↗
- ·Exfiltration of read file contents is not direct — data is only exposed if the file matches the session file format AND the application logic explicitly returns that session data to the client ↗
- ·Impact of file read/write depends entirely on the OS-level permissions of the web server process ↗
- ·Client-side-only use of react-router (e.g., FreeIPA WebUI) is NOT affected; the vulnerability is server-side only ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
React Router has Path Traversal in File Session Storage
ghsa·2026-01-08
CVE-2025-61686 [CRITICAL] CWE-22 React Router has Path Traversal in File Session Storage
React Router has Path Traversal in File Session Storage
If applications use `createFileSessionStorage()` from `@react-router/node` (or `@remix-run/node`/`@remix-run/deno` in Remix v2) with an [**unsigned cookie**](https://reactrouter.com/explanation/sessions-and-cookies#signing-cookies), it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files.
Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly
OSV
React Router has Path Traversal in File Session Storage
osv·2026-01-08
CVE-2025-61686 [CRITICAL] React Router has Path Traversal in File Session Storage
React Router has Path Traversal in File Session Storage
If applications use `createFileSessionStorage()` from `@react-router/node` (or `@remix-run/node`/`@remix-run/deno` in Remix v2) with an [**unsigned cookie**](https://reactrouter.com/explanation/sessions-and-cookies#signing-cookies), it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files.
Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly
Red Hat
react-router: React Router has Path Traversal in File Session Storage
vendor_redhat·2026-01-10·CVSS 9.1
CVE-2025-61686 [CRITICAL] CWE-22 react-router: React Router has Path Traversal in File Session Storage
react-router: React Router has Path Traversal in File Session Storage
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-61686 react-router: React Router has Path Traversal in File Session Storage
bugzilla·2026-01-10·CVSS 9.1
CVE-2025-61686 [CRITICAL] CVE-2025-61686 react-router: React Router has Path Traversal in File Session Storage
CVE-2025-61686 react-router: React Router has Path Traversal in File Session Storage
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the f
Wiz
CVE-2025-61686 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-61686 [CRITICAL] CVE-2025-61686 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61686 :
JavaScript vulnerability analysis and mitigation
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the
2026-01-10
Published