A critical security vulnerability has been discovered in the React Router and Remix frameworks that enables attackers to access and modify sensitive files on web servers.
Identified as CVE-2025-61686 with a CVSS severity rating of 8.8/10, this vulnerability represents a significant threat to the extensive ecosystem of applications built on these popular routing libraries.
The flaw originates in the createFileSessionStorage() function, which handles file-based session management in @react-router/node versions 7.0.0 through 7.9.3, @remix-run/node versions up to 2.17.1, and @remix-run/deno versions up to 2.17.1.
The vulnerability specifically manifests when developers configure applications to use unsigned cookies for session storage, creating a dangerous attack vector that requires no authentication or user interaction to exploit.
The Attack Mechanism
Session management in React Router and Remix typically stores user session data in files on the server, with cookies serving as identifiers to reference these stored sessions. The vulnerability arises from improper path validation when processing unsigned session cookies.
Attackers can craft malicious cookies containing directory traversal sequences such as ../ characters, which bypass the intended security boundaries and enable file system access outside the designated session directory.
Rather than directly reading arbitrary files from the server, the exploitation method operates within specific constraints. Attackers must reference files that match the expected session file format.
When such a matching file is found, the server loads its contents into the session object, potentially exposing the data through standard application logic. This limitation stems from the fact that session storage functions expect specific data structures; random file contents would not be processed as valid session data.
The write capability presents equally concerning risks. Attackers can inject malicious data into files outside the intended directory structure, potentially enabling code execution or complete system compromise if critical configuration files or executable scripts are overwritten.
The viability of such attacks depends heavily on the file system permissions granted to the web server process.
Affected Packages and Versions
Multiple packages within the React Router ecosystem are vulnerable to this attack. Organizations using the following versions require immediate patching:
@react-router/nodeversions 7.0.0 through 7.9.3@remix-run/nodeversions up to 2.17.1@remix-run/denoversions up to 2.17.1
The widespread adoption of these packages across modern web applications amplifies the potential impact.
React Router alone maintains over 20 million weekly downloads on npm, making the security posture of this library critical to the broader React ecosystem.
Available Patches
React Router maintainers have released patched versions that address the path traversal vulnerability. Developers using affected applications should upgrade to the following versions immediately:
@react-router/nodeversion 7.9.4 or higher@remix-run/nodeversion 2.17.2 or higher@remix-run/denoversion 2.17.2 or higher
Mitigation Strategies
Beyond patching, security experts recommend implementing signed cookies as the most effective mitigation strategy.
Unlike unsigned cookies, signed cookies employ cryptographic verification to ensure session integrity, preventing attackers from manipulating cookie contents even on unpatched systems.
Proper file system permissions also significantly reduce the attack surface. Organizations should implement strict access controls ensuring that web server processes have minimal permissions, limiting access to only the designated session storage directory.
Additionally, organizations should avoid storing sensitive configuration files or executable scripts in directories accessible to the web server process.
Developers should also audit their applications for any implementation of createFileSessionStorage() with unsigned cookies.
If such configurations exist, switching to signed cookies provides immediate protection while patching processes are underway.
Broader Security Context
This vulnerability represents one of several recent flaws affecting React Router. Additional vulnerabilities disclosed in early 2025 include CVE-2025-68470, an open redirect vulnerability affecting navigation functions, and CVE-2025-43864 and CVE-2025-43865, which enable cache poisoning attacks.
These discoveries emphasize the importance of maintaining comprehensive vulnerability monitoring for routing libraries and their dependencies.resolvedsecurity
Organizations should also monitor for similar path traversal vulnerabilities in session management implementations across their technology stacks.
The underlying attack pattern—improper path validation in file operations—represents a class of vulnerabilities that can appear across multiple applications and frameworks.
Response Timeline
The vulnerability disclosure timeline demonstrates the coordinated responsible disclosure process.
Security researchers identified the flaw, React Router maintainers confirmed the vulnerability and developed patches, and after validation with affected platforms and projects, the fix was released publicly on January 11, 2026.
The critical nature of this vulnerability, combined with its network-based attack vector requiring no user interaction, makes it a prime target for automated exploitation campaigns.
Security teams should treat this as a high-priority patching requirement and implement additional monitoring for exploitation attempts targeting vulnerable configurations.
