- Description
- React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- react-router\/node, remix-run\/deno, remix-run\/node
CVSS 3.1
- Type
- Secondary
- Base score
- 9.1
- Impact score
- 5.2
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-22
- Hype score
- Not currently trending
#VulnerabilityReport #CVE202561686 Critical React Router Flaws: CVE-2025-61686 Exposes Server Files https://t.co/Z0n0jp8oes
@Komodosec
15 Feb 2026
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ Vulnerabilidad en productos React ❗ CVE-2025-61686 ➡️ Más info: https://t.co/8zIlIr15e4 https://t.co/sYJd9PcgR2
@CERTpy
26 Jan 2026
173 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
React Router の脆弱性 CVE-2025-61686 が FIX:サーバ・ファイルの窃取/改変が可能 https://t.co/Jax6rGhWiV React Router/Remix という現代の Web 開発で人気を博すライブラリに、深刻な脆弱性が発見されました。この問題の原
@iototsecnews
20 Jan 2026
109 Impressions
2 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
React Routerの深刻な脆弱性、CVE-2025-61686ってなんだ?〜セッションストレージを悪用したパストラバーサル攻撃の全貌〜 #Security - Qiita https://t.co/K4gc247p9f
@LirioY
18 Jan 2026
87 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-61686 (CVSS:9.1, CRITICAL) is Awaiting Analysis. React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version..https://t.co/nYSxEzYmeS #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
15 Jan 2026
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
React Router に脆弱性 CVE-2025-61686 が見つかりましたね⚠️ 該当バージョンを使っている場合は、早めのにバージョン更新をしておきたいところです🔄 依存関係は後回しにしがちですが、こういう時こそちゃん
@spookiesjp
15 Jan 2026
114 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
React Routerに重大な脆弱性(CVE-2025-61686) https://t.co/QE88kVl3Jc #セキュリティ対策Lab #セキュリティ #Security
@securityLab_jp
15 Jan 2026
103 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
🛡️ Critical React Router Vulnerability Alert 🚨 Security researchers have discovered a critical vulnerability in React Router (CVE-2025-61686) that can allow attackers to access or modify server files by exploiting session cookie storage. This affects @react-router/node a
@Adidotdev
13 Jan 2026
2 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-61686(React Router / Remix の createFileSessionStorage に起因するディレクトリトラバーサル)が1月8日に発表されたので、取り急ぎ心当たりのあるアプリについて以下を調査。 `package.json`を確認し、以下の依存が
@guzecong
12 Jan 2026
492 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Warning: Multiple High Severity Vulnerabilities in #React-Router. CVE-2025-61686, CVE-2026-22029, CVE-2026-59057 & others. Attackers can read sensitive files or hijack sessions! #Patch #Patch #Patch More info: https://t.co/jRGNAD4XZZ
@CCBalert
12 Jan 2026
354 Impressions
2 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 𝐅𝐫𝐞𝐬𝐡 𝐂𝐕𝐄 𝐚𝐥𝐞𝐫𝐭 𝐣𝐮𝐬𝐭 𝐢𝐧! React Router SSR flaw exposes sensitive server files. Learn how CVE-2025-61686 affects Remix apps and what dev teams must fix now. 🌐 Explore the write-up → https://t.co/cIbALOiy5c Stay s
@PurpleOps_io
12 Jan 2026
74 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical React Router/Remix Bug Lets Attackers Traverse Paths via Unsigned Session Cookies (CVE-2025-61686) A flaw in `createFileSessionStorage()` allows crafted unsigned session cookies to inject `../` sequences and force read/write of session files outside the intended
@ThreatSynop
12 Jan 2026
262 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical React Router Session Bug (CVE-2025-61686) Enables Path Traversal via Unsigned Cookies — Patch Now A critical flaw in createFileSessionStorage() when using unsigned cookies lets attackers tamper with the session cookie to read/write session files outside the intend
@ThreatSynop
12 Jan 2026
305 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Urgent Patch: React Router CVE-2025-61686 (CVSS 9.1) exposes server files via session flaws. Fix XSS & Open Redirect bugs by updating to v7.9.6 now. #ReactRouter #RemixRun #WebDev #CyberSecurity #CVE202561686 #JavaScript #AppSec #PatchNow https://t.co/OMYoQsjJxM
@the_yellow_fall
12 Jan 2026
593 Impressions
3 Retweets
12 Likes
5 Bookmarks
1 Reply
0 Quotes
CVE-2025-61686 Path Traversal Vulnerability in React Router and Remix Session Storage Mechanisms https://t.co/ygvk3Hn0aq
@VulmonFeeds
10 Jan 2026
68 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 New Critical Vulnerability Alert 🆔 CVE-2025-61686 📊 Score: 9.1 🔗 Read Intel: https://t.co/BWJSYdUzwW #CVE #CyberSecurity #WatchStack
@watchstackio
10 Jan 2026
2 Impressions
0 Retweets
2 Likes
2 Bookmarks
0 Replies
0 Quotes
CVE-2025-61686 React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version … https://t.co/SNy0wyTlYb
@CVEnew
10 Jan 2026
142 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-61686: CRITICAL] Vulnerabilities patched in React Router versions 7.9.4, Remix v2.17.2 may expose servers to attackers using createFileSessionStorage(). Update now to stay secure!#cve,CVE-2025-61686,#cybersecurity https://t.co/QVtVHJWdOK https://t.co/yg6m3AScOu
@CveFindCom
10 Jan 2026
74 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🔴 CVE-2025-61686 - Critical React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFile... https://t.co/BHbQasynOP https://t.co/mXLU1upnNL
@TheHackerWire
10 Jan 2026
70 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:shopify:react-router\\/node:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "1E0C856C-476D-482F-8047-7F4D5F0B4204",
"versionEndExcluding": "7.9.4",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shopify:remix-run\\/deno:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "B47283CD-6965-448D-98CA-2A1BEED89A74",
"versionEndExcluding": "2.17.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shopify:remix-run\\/node:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "C506FB64-B70B-40CF-8A14-C7BA394D1814",
"versionEndExcluding": "2.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]