Critical React Router Flaw Exposes Server Files to Attack
Critical vulnerabilities have been identified in React Router, potentially allowing attackers to access or modify server files through directory traversal. The flaws affect multiple packages within...
Critical vulnerabilities have been identified in React Router, potentially allowing attackers to access or modify server files through directory traversal.
The flaws affect multiple packages within the React Router ecosystem and carry a CVSS v3 score of 9.8, classifying them as critical severity.
| CVE ID | Severity | Attack Vector | Flaw Type |
|---|---|---|---|
| CVE-2025-61686 | Critical (9.8) | Network | Remote Code Execution / DoS |
Unauthorized File Access Vulnerability
The primary vulnerability, tracked as CVE-2025-61686, exists in the createFileSessionStorage() function when used with unsigned cookies.
Attackers can manipulate session cookies to force the application to read or write files outside the designated session directory.
Multiple packages within the React Router and Remix ecosystem are impacted:
| Package Name | Affected Versions |
|---|---|
| @react-router/node | 7.0.0 through 7.9.3 |
| @remix-run/deno | 2.17.1 and earlier |
| @remix-run/node | 2.17.1 and earlier |
The vulnerability enables directory traversal attacks through malicious session cookies.
While attackers cannot directly retrieve file contents, successful exploitation allows:
Reading files that match session file format specifications. Modifying session data that could be returned by application logic.
Potentially accessing sensitive configuration files depending on server permissions. The attack’s effectiveness depends on web server process permissions and file system access controls.
Developers must immediately upgrade to patched versions:
| Package Name | Safe Version (Fixed) |
|---|---|
| @react-router/node | 7.9.4 or later |
| @remix-run/deno | 2.17.2 or later |
| @remix-run/node | 2.17.2 or later |
The security patch addresses the directory traversal vulnerability by implementing proper path validation and sanitization within the session storage mechanism.
According to the GitHub Advisory, organizations using affected versions of React Router should immediately upgrade to patched versions. Review server file permissions and access controls.
Audit session storage implementations for unsigned cookie usage. Monitor for suspicious session cookie patterns. Implement additional file-system restrictions where feasible.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.