External risk intelligence

React Router Node Session Storage Path Traversal

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2025-61686

The vulnerability affects web application frameworks (React Router/Remix) used to build internet-facing web applications. Because these components handle session management and file storage at the application layer, web services utilizing them are commonly exposed to the internet, making the vulnerable session handling logic reachable in standard web deployment patterns.

Path Traversal

Shopify React Router\/node

7.0.0 to before 7.9.4before 2.17.2

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in versions of React Router and Remix.js related to session storage, where an attacker could potentially cause the session to interact with unintended file locations. This could lead to the server accessing or modifying files outside the designated session directory, depending on server process permissions and application logic.

  • Session storage code could be misused.
  • Matters if session data is handled improperly.
  • Confirm if our applications use this code.

Attack Path

How an attacker could exploit the issue

An attacker could leverage this vulnerability by sending specially crafted requests to a web application that uses vulnerable versions of React Router or Remix with `createFileSessionStorage` and unsigned cookies. This could lead to the application attempting to read or write session data from unintended file locations on the server, potentially exposing sensitive information if the attacker can control the target file path and if the file matches the expected session format.

  • Attacker sends crafted requests to the web application.
  • Vulnerable session storage function handles unsigned cookies.
  • Risk of unauthorized file access and session data manipulation.

Live Threat

Current exploitation, exposure, and threat context

When used with unsigned cookies and the `createFileSessionStorage()` function, an attacker could manipulate the session storage to read or write from unintended file locations. This could impact server-side session data, and the attacker might see session data if the application logic returns it. The success of such an attack depends on the web server process's file system permissions.

  • Server-side session data.
  • Unintended file access with session data.
  • Potential exposure of session contents.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for addressing this vulnerability in React Router and Remix Node.js deployments. The first practical step is to identify all instances of the affected technologies, confirm their exposure and criticality, and then determine the accountable owner for remediation.

  • Application owners should investigate usage.
  • Verify reachability and business criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is React Router and the Remix packages affected by CVE-2025-61686?

React Router is a standard library for managing navigation and state in React applications. Remix is a full-stack framework built on top of React Router that uses these same underlying node-based utilities for server-side operations. The affected components, specifically @react-router/node, @remix-run/node, and @remix-run/deno, provide the infrastructure for server-side tasks, including managing how user sessions are stored and retrieved on the server's file system.

What is the vulnerability class for this CVE?

This vulnerability is classified as Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal (CWE-22). In the context of CVE-2025-61686, the software fails to properly sanitize input when handling session files. This allows a specifically crafted request to bypass intended directory restrictions, potentially instructing the application to read from or write to files in locations the developer never intended to be accessed by the session storage mechanism.

How does an attacker trigger this path traversal issue?

An attacker triggers this flaw by sending a crafted request to an application that utilizes the createFileSessionStorage() function with unsigned cookies. Crucially, this bug is not triggered if the application uses signed cookies, as the cryptographic verification prevents the manipulation of the session identifier that leads to the path traversal. Furthermore, the vulnerability does not grant the attacker direct file download capabilities; success is strictly limited by the server process's permissions.

Do I need to be concerned if my application is internal?

Yes, you should evaluate the risk. According to Halo Surface Signal, this vulnerability affects web application frameworks that are commonly deployed as internet-facing services, meaning the attack vector is network-based. While external-facing applications are at the highest risk because they are reachable from the internet, internal applications remain vulnerable if they are reachable by unauthorized users within your network who could send the necessary crafted requests.

How should I respond to CVE-2025-61686?

Your first step is to perform an inventory of your software dependencies to identify if your projects utilize the affected versions of @react-router/node, @remix-run/node, or @remix-run/deno. Once identified, prioritize updating these packages to the patched versions—specifically 7.9.4 for React Router or 2.17.2 for the Remix packages. Verify if your current session storage configuration utilizes unsigned cookies, as this is the primary condition required for the vulnerability to be exploited.

References