Platform
react
Component
@react-router/node
Fixed in
7.0.1
2.17.3
2.17.3
CVE-2025-61686 describes a critical Path Traversal vulnerability discovered in React Router Node. This flaw allows attackers to potentially access files outside the intended session storage directory, leading to data exposure or modification. The vulnerability affects versions 7.0.0 through @remix-run/node < 2.17.2, and a fix is available in version 7.9.4.
The core of this vulnerability lies in the createFileSessionStorage() function within React Router Node, specifically when used with unsigned cookies. An attacker can craft a malicious cookie that manipulates the file path, tricking the application into attempting to read or write files outside the designated session storage directory. The success of this attack hinges on the web server process's permissions; if the server has write access to sensitive files, the attacker could potentially modify them. This could lead to session hijacking, data breaches, or even remote code execution if the attacker can overwrite configuration files or other critical system components. The impact is amplified in environments where session data is used for authentication or authorization.
As of the publication date, there are no publicly available exploits for CVE-2025-61686. The vulnerability is not currently listed on the CISA KEV catalog. However, given the CRITICAL severity and the potential for significant impact, it is prudent to prioritize remediation. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is developed.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-61686 is to immediately upgrade React Router Node to version 7.9.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter file permission controls on the session storage directory to limit the attacker's potential impact. Additionally, implement input validation and sanitization on any user-controlled data used in file paths. Web Application Firewalls (WAFs) configured with rules to detect and block path traversal attempts can provide an additional layer of defense. Monitor application logs for unusual file access patterns that might indicate exploitation.
Actualice el paquete @react-router/node a la versión 7.9.4 o superior. Esto corrige la vulnerabilidad de path traversal en el almacenamiento de sesiones de archivos. La actualización previene que un atacante acceda a archivos fuera del directorio de sesiones especificado.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-61686 is a critical vulnerability in React Router Node allowing attackers to potentially access files outside the intended session storage directory through path traversal.
You are affected if you are using React Router Node versions 7.0.0–@remix-run/node < 2.17.2. Upgrade to 7.9.4 to mitigate the risk.
Upgrade React Router Node to version 7.9.4 or later. If immediate upgrade is not possible, implement stricter file permission controls and input validation.
As of the publication date, there are no confirmed reports of active exploitation, but the CRITICAL severity warrants immediate attention and remediation.
Refer to the official React Router documentation and security advisories for the latest information and updates regarding CVE-2025-61686.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.