CVE-2025-61686
Directory Traversal via Unsigned Cookies in React Router Sessions
Publication date: 2026-01-10
Last updated on: 2026-02-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| react_router | node | From 7.0.0 (inc) to 7.9.3 (inc) |
| remix_run | deno | to 2.17.2 (exc) |
| remix_run | node | to 2.17.2 (exc) |
| react_router | node | 7.9.4 |
| remix_run | deno | 2.17.2 |
| remix_run | node | 2.17.2 |
| shopify | remix-run/deno* | to 2.17.2 (inc) |
| shopify | remix-run/node* | to 2.17.2 (inc) |
| shopify | react-router/node* | From 7.0.0 (inc) to 7.9.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the createFileSessionStorage() function in certain versions of @react-router/node and related Remix packages when used with unsigned cookies. An attacker can exploit it to make the session storage read from or write to files outside the intended session file directory. While the attacker cannot directly retrieve file contents, if an external file matches the expected session file format, its data can be loaded into the server-side session, potentially allowing unauthorized modification of session data. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized modification of session data, which impacts the integrity of the application. It can also affect availability by potentially disrupting service. Although no direct data disclosure occurs, the attacker can manipulate session data if certain conditions are met, which could compromise application behavior and reliability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if your system is running affected versions of the packages: @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno versions prior to 2.17.2, or @remix-run/node versions prior to 2.17.2. You can check your installed package versions using commands like `npm list @react-router/node`, `npm list @remix-run/node`, or `npm list @remix-run/deno`. Additionally, review your application code to see if `createFileSessionStorage()` is used with unsigned cookies, which is the vulnerable usage pattern. There are no specific network detection commands or signatures provided for this vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the affected packages to the patched versions: update @react-router/node to version 7.9.4 or later, and @remix-run/deno and @remix-run/node to version 2.17.2 or later. Additionally, avoid using `createFileSessionStorage()` with unsigned cookies to prevent exploitation. Ensuring proper file system permissions for the web server process can also reduce the risk of unauthorized file access. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.