CVE-2025-31137P3HIGH≥ 7.0.0, < 7.4.12025-04-01
CVE-2025-31137 [HIGH] CWE-444 Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers
Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers
### Impact
We received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming `Request` by putting a URL pathname in the port section of a URL t
ghsaosv