React Router has Path Traversal in File Session Storage
Summary
| CVE | CVE-2025-61686 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-01-10 03:15:48 UTC |
| Updated | 2026-06-27 05:16:40 UTC |
| Description | React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2. |
Risk And Classification
Primary CVSS: v3.1 9.1 CRITICAL from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Problem Types: CWE-22 | CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | [email protected] | Secondary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | CNA | DECLARED | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Shopify | React-router/node | All | All | All | All |
| Application | Shopify | Remix-run/deno | All | All | All | All |
| Application | Shopify | Remix-run/node | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Remix-run | React-router | affected @react-router/node >= 7.0.0, < 7.9.4 | Not specified |
| CNA | Remix-run | React-router | affected @remix-run/deno < 2.17.2 | Not specified |
| CNA | Remix-run | React-router | affected @remix-run/node < 2.17.2 | Not specified |
| ADP | Red Hat | Cryostat 4 | Not specified | Not specified |
| ADP | Red Hat | Gatekeeper 3 | Not specified | Not specified |
| ADP | Red Hat | Logging Subsystem For Red Hat OpenShift | Not specified | Not specified |
| ADP | Red Hat | Migration Toolkit For Applications 7 | Not specified | Not specified |
| ADP | Red Hat | Migration Toolkit For Applications 8 | Not specified | Not specified |
| ADP | Red Hat | Migration Toolkit For Containers | Not specified | Not specified |
| ADP | Red Hat | Migration Toolkit For Virtualization | Not specified | Not specified |
| ADP | Red Hat | Multicluster Engine For Kubernetes | Not specified | Not specified |
| ADP | Red Hat | Network Observability Operator | Not specified | Not specified |
| ADP | Red Hat | Node HealthCheck Operator | Not specified | Not specified |
| ADP | Red Hat | OpenShift Lightspeed | Not specified | Not specified |
| ADP | Red Hat | OpenShift Pipelines | Not specified | Not specified |
| ADP | Red Hat | OpenShift Service Mesh 2 | Not specified | Not specified |
| ADP | Red Hat | OpenShift Service Mesh 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Advanced Cluster Management For Kubernetes 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Advanced Cluster Security 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel - HawtIO 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apicurio Registry 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Kueue | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of OptaPlanner 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Connectivity Link 1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Data Grid 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Developer Hub | Not specified | Not specified |
| ADP | Red Hat | Red Hat Discovery 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Edge Manager 1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Edge Manager Preview | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Fuse 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Openshift Data Foundation 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Distributed Tracing 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift GitOps | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Virtualization 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Process Automation 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Quay 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Single Sign-On 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Trusted Artifact Signer | Not specified | Not specified |
| ADP | Red Hat | Red Hat Trusted Profile Analyzer | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw | [email protected] | github.com | Third Party Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-61686.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/security/cve/CVE-2025-61686 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-01-10T04:01:55.424Z | Reported to Red Hat. |
| ADP | 2026-01-10T02:41:22.741Z | Made public. |
There are currently no legacy QID mappings associated with this CVE.