CVE advisoryCRITICAL
CVE-2025-61686
React Router Node Session Storage Path Traversal
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A vulnerability in React Router and Remix Node.js allows an attacker to manipulate session storage, potentially causing it to read or write from unintended file locations on the server. This could impact server-side session data, and the success depends on the web server's file system permissions.