AI description
CVE-2025-31137 is a vulnerability found in React Router, specifically affecting Remix 2 and React Router 7 users utilizing the Express adapter. This flaw allows attackers to manipulate the URL pathname by exploiting the Host or X-Forwarded-Host headers in HTTP requests. By inserting a URL pathname in the port section of these headers, attackers can spoof the URL used in incoming requests. This vulnerability can lead to various exploits, including cache poisoning denial of service (CPDoS), WAF bypass, and escalated XSS attacks. The issue stems from the lack of port sanitization in React Router's Express adapter when handling the Host and X-Forwarded-Host headers. The vulnerability has been addressed in Remix 2.16.3 and React Router 7.4.1.
- Description
- React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.0
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
- security-advisories@github.com
- CWE-444
- Hype score
- Not currently trending
#Vulnerability #CachePoisoningDenialofService CVE-2025-31137: React Router Vulnerability Exposes Web Apps to Cache Poisoning and WAF Bypass Attacks https://t.co/ZM0eZs94bT
@Komodosec
8 Jun 2025
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
React Router の脆弱性 CVE-2025-43864/43865 が FIX:ポイズニングとスプーフィング https://t.co/e4W3vXTUiN React Router に、2件の深刻な脆弱性が発生しています。ご利用のチームは、アップデートをお急ぎください。なお、
@iototsecnews
12 May 2025
92 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
React Routerの脆弱性がキャッシュポイズニングやWAFバイパス攻撃に悪用される危険性(CVE-2025-31137) #セキュリティ対策Lab #セキュリティ #Security https://t.co/7bC9tNuxe3
@securityLab_jp
4 Apr 2025
76 Impressions
1 Retweet
1 Like
1 Bookmark
0 Replies
0 Quotes
Critical React Router flaw (CVE-2025-31137) exposes web apps to cache poisoning & WAF bypass—patch immediately to prevent data manipulation. Details: https://t.co/Tg3bRjSR68 #WebSecurity #Vulnerability
@adriananglin
3 Apr 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New paper on a vulnerability discovered in React Router, resulting from a collaboration between @zhero___ and @inzo____, which led to CVE-2025-31137: 'React Router and the Remix'ed Path. https://t.co/Wdo4g77aV8 https://t.co/k1dyS9WOpx
@iamunixtz
2 Apr 2025
1448 Impressions
2 Retweets
52 Likes
8 Bookmarks
0 Replies
0 Quotes
new paper on a vulnerability discovered in React Router, resulting from a collaboration with @inzo____ that led to CVE-2025-31137; React Router and the Remix'ed path https://t.co/LMiqASwZnf good reading https://t.co/VgVIDrILH2
@zhero___
2 Apr 2025
18794 Impressions
94 Retweets
455 Likes
166 Bookmarks
25 Replies
7 Quotes