AI description
CVE-2025-61686 is a path traversal vulnerability found in React Router and Remix frameworks. The flaw specifically impacts the `createFileSessionStorage()` function when it is used with unsigned cookies. Attackers can exploit this by crafting malicious session cookies containing directory traversal sequences, which could allow them to read from or write to locations outside the designated session file directory. This vulnerability affects `@react-router/node` versions 7.0.0 through 7.9.3, `@remix-run/node` prior to version 2.17.2, and `@remix-run/deno` prior to version 2.17.2. While an attacker could potentially access sensitive server files, successful exploitation for reading files is limited to those that match the expected session file format. The issue has been addressed in `@react-router/node` version 7.9.4, `@remix-run/deno` version 2.17.2, and `@remix-run/node` version 2.17.2.
- Description
- React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.1
- Impact score
- 5.2
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-22
- Hype score
- Not currently trending
๐ก๏ธ Critical React Router Vulnerability Alert ๐จ Security researchers have discovered a critical vulnerability in React Router (CVE-2025-61686) that can allow attackers to access or modify server files by exploiting session cookie storage. This affects @react-router/node a
@Adidotdev
13 Jan 2026
2 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-61686๏ผReact Router / Remix ใฎ createFileSessionStorage ใซ่ตทๅ ใใใใฃใฌใฏใใชใใฉใใผใตใซ๏ผใ1ๆ8ๆฅใซ็บ่กจใใใใฎใงใๅใๆฅใๅฟๅฝใใใฎใใใขใใชใซใคใใฆไปฅไธใ่ชฟๆปใ `package.json`ใ็ขบ่ชใใไปฅไธใฎไพๅญใ
@guzecong
12 Jan 2026
485 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Warning: Multiple High Severity Vulnerabilities in #React-Router. CVE-2025-61686, CVE-2026-22029, CVE-2026-59057 & others. Attackers can read sensitive files or hijack sessions! #Patch #Patch #Patch More info: https://t.co/jRGNAD4XZZ
@CCBalert
12 Jan 2026
354 Impressions
2 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
๐จ ๐ ๐ซ๐๐ฌ๐ก ๐๐๐ ๐๐ฅ๐๐ซ๐ญ ๐ฃ๐ฎ๐ฌ๐ญ ๐ข๐ง! React Router SSR flaw exposes sensitive server files. Learn how CVE-2025-61686 affects Remix apps and what dev teams must fix now. ๐ Explore the write-up โ https://t.co/cIbALOiy5c Stay s
@PurpleOps_io
12 Jan 2026
74 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
๐จ Critical React Router/Remix Bug Lets Attackers Traverse Paths via Unsigned Session Cookies (CVE-2025-61686) A flaw in `createFileSessionStorage()` allows crafted unsigned session cookies to inject `../` sequences and force read/write of session files outside the intended
@ThreatSynop
12 Jan 2026
262 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
๐จ Critical React Router Session Bug (CVE-2025-61686) Enables Path Traversal via Unsigned Cookies โ Patch Now A critical flaw in createFileSessionStorage() when using unsigned cookies lets attackers tamper with the session cookie to read/write session files outside the intend
@ThreatSynop
12 Jan 2026
305 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Urgent Patch: React Router CVE-2025-61686 (CVSS 9.1) exposes server files via session flaws. Fix XSS & Open Redirect bugs by updating to v7.9.6 now. #ReactRouter #RemixRun #WebDev #CyberSecurity #CVE202561686 #JavaScript #AppSec #PatchNow https://t.co/OMYoQsjJxM
@the_yellow_fall
12 Jan 2026
593 Impressions
3 Retweets
12 Likes
5 Bookmarks
1 Reply
0 Quotes
CVE-2025-61686 Path Traversal Vulnerability in React Router and Remix Session Storage Mechanisms https://t.co/ygvk3Hn0aq
@VulmonFeeds
10 Jan 2026
68 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
๐จ New Critical Vulnerability Alert ๐ CVE-2025-61686 ๐ Score: 9.1 ๐ Read Intel: https://t.co/BWJSYdUzwW #CVE #CyberSecurity #WatchStack
@watchstackio
10 Jan 2026
2 Impressions
0 Retweets
2 Likes
2 Bookmarks
0 Replies
0 Quotes
CVE-2025-61686 React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version โฆ https://t.co/SNy0wyTlYb
@CVEnew
10 Jan 2026
142 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-61686: CRITICAL] Vulnerabilities patched in React Router versions 7.9.4, Remix v2.17.2 may expose servers to attackers using createFileSessionStorage(). Update now to stay secure!#cve,CVE-2025-61686,#cybersecurity https://t.co/QVtVHJWdOK https://t.co/yg6m3AScOu
@CveFindCom
10 Jan 2026
74 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
๐ด CVE-2025-61686 - Critical React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFile... https://t.co/BHbQasynOP https://t.co/mXLU1upnNL
@TheHackerWire
10 Jan 2026
70 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes