{"api_version":"1","generated_at":"2026-06-27T18:33:04+00:00","cve":"CVE-2025-61686","urls":{"html":"https://cve.report/CVE-2025-61686","api":"https://cve.report/api/cve/CVE-2025-61686.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-61686","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-61686"},"summary":{"title":"React Router has Path Traversal in File Session Storage","description":"React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-01-10 03:15:48","updated_at":"2026-06-27 05:16:40"},"problem_types":["CWE-22","CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"],"metrics":[{"version":"3.1","source":"ADP","type":"CVSS","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}},{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw","name":"https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw","refsource":"security-advisories@github.com","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-61686.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-61686.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2025-61686","name":"https://access.redhat.com/security/cve/CVE-2025-61686","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2428423","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2428423","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-61686","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61686","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"remix-run","product":"react-router","version":"affected @react-router/node >= 7.0.0, < 7.9.4","platforms":[]},{"source":"CNA","vendor":"remix-run","product":"react-router","version":"affected @remix-run/deno < 2.17.2","platforms":[]},{"source":"CNA","vendor":"remix-run","product":"react-router","version":"affected @remix-run/node < 2.17.2","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Cryostat 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Gatekeeper 3","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Logging Subsystem for Red Hat OpenShift","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Migration Toolkit for Applications 7","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Migration Toolkit for Applications 8","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Migration Toolkit for Containers","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Migration Toolkit for Virtualization","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Multicluster Engine for Kubernetes","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Network Observability Operator","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Node HealthCheck Operator","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Lightspeed","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Pipelines","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Service Mesh 2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Service Mesh 3","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Advanced Cluster Management for Kubernetes 2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Advanced Cluster Security 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Ansible Automation Platform 2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat build of Apache Camel - HawtIO 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat build of Apicurio Registry 2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Build of Kueue","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat build of OptaPlanner 8","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Connectivity Link 1","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Data Grid 8","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Developer Hub","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Discovery 2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Edge Manager 1","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Edge Manager preview","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 10","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 8","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 9","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Fuse 7","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat JBoss Enterprise Application Platform 8","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift AI (RHOAI)","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Openshift Data Foundation 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift Dev Spaces","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift distributed tracing 3","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift GitOps","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift Virtualization 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Process Automation 7","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Quay 3","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Satellite 6","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Single Sign-On 7","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Trusted Artifact Signer","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Trusted Profile Analyzer","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-01-10T04:01:55.424Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-01-10T02:41:22.741Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2025","cve_id":"61686","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"shopify","cpe5":"react-router\\/node","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61686","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"shopify","cpe5":"remix-run\\/deno","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"61686","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"shopify","cpe5":"remix-run\\/node","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-61686","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-01-12T13:58:36.773708Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-03T18:11:24.722Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/a:redhat:cryostat:4"],"defaultStatus":"unaffected","product":"Cryostat 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:gatekeeper:3"],"defaultStatus":"unaffected","product":"Gatekeeper 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:logging:5"],"defaultStatus":"unaffected","product":"Logging Subsystem for Red Hat OpenShift","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:migration_toolkit_applications:7"],"defaultStatus":"unaffected","product":"Migration Toolkit for Applications 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:migration_toolkit_applications:8"],"defaultStatus":"unaffected","product":"Migration Toolkit for Applications 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhmt:1"],"defaultStatus":"unaffected","product":"Migration Toolkit for Containers","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:migration_toolkit_virtualization:2"],"defaultStatus":"unaffected","product":"Migration Toolkit for Virtualization","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:multicluster_engine"],"defaultStatus":"unaffected","product":"Multicluster Engine for Kubernetes","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:network_observ_optr:1"],"defaultStatus":"unaffected","product":"Network Observability Operator","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:workload_availability_nhc:0"],"defaultStatus":"unaffected","product":"Node HealthCheck Operator","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_lightspeed"],"defaultStatus":"unaffected","product":"OpenShift Lightspeed","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_pipelines:1"],"defaultStatus":"unaffected","product":"OpenShift Pipelines","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_mesh:2"],"defaultStatus":"unaffected","product":"OpenShift Service Mesh 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_mesh:3"],"defaultStatus":"unaffected","product":"OpenShift Service Mesh 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:acm:2"],"defaultStatus":"unaffected","product":"Red Hat Advanced Cluster Management for Kubernetes 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:advanced_cluster_security:4"],"defaultStatus":"unaffected","product":"Red Hat Advanced Cluster Security 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"unaffected","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apache_camel_hawtio:4"],"defaultStatus":"unaffected","product":"Red Hat build of Apache Camel - HawtIO 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_registry:2"],"defaultStatus":"unaffected","product":"Red Hat build of Apicurio Registry 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:kueue_operator:1"],"defaultStatus":"unaffected","product":"Red Hat Build of Kueue","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:optaplanner:::el6"],"defaultStatus":"unaffected","product":"Red Hat build of OptaPlanner 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:connectivity_link:1"],"defaultStatus":"unaffected","product":"Red Hat Connectivity Link 1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_data_grid:8"],"defaultStatus":"unaffected","product":"Red Hat Data Grid 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhdh:1"],"defaultStatus":"unaffected","product":"Red Hat Developer Hub","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:discovery:2::el9"],"defaultStatus":"unaffected","product":"Red Hat Discovery 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:edge_manager:1"],"defaultStatus":"unaffected","product":"Red Hat Edge Manager 1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:edge_manager:0"],"defaultStatus":"unaffected","product":"Red Hat Edge Manager preview","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"unaffected","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unaffected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"unaffected","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_data_foundation:4"],"defaultStatus":"unaffected","product":"Red Hat Openshift Data Foundation 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_devspaces:3"],"defaultStatus":"unaffected","product":"Red Hat OpenShift Dev Spaces","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_distributed_tracing:3"],"defaultStatus":"unaffected","product":"Red Hat OpenShift distributed tracing 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_gitops:1"],"defaultStatus":"unaffected","product":"Red Hat OpenShift GitOps","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4"],"defaultStatus":"unaffected","product":"Red Hat OpenShift Virtualization 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"],"defaultStatus":"unaffected","product":"Red Hat Process Automation 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quay:3"],"defaultStatus":"unaffected","product":"Red Hat Quay 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"unaffected","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:red_hat_single_sign_on:7"],"defaultStatus":"unaffected","product":"Red Hat Single Sign-On 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:trusted_artifact_signer:1"],"defaultStatus":"unaffected","product":"Red Hat Trusted Artifact Signer","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:trusted_profile_analyzer:2"],"defaultStatus":"unaffected","product":"Red Hat Trusted Profile Analyzer","vendor":"Red Hat"}],"datePublic":"2026-01-10T02:41:22.741Z","descriptions":[{"lang":"en","value":"A security issue was discovered in the react-router/node component of React Router. It is possible for an attacker manipulate an unsigned cookie to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Critical"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-27T04:05:15.285Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2025-61686"},{"name":"RHBZ#2428423","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2428423"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-61686.json"}],"timeline":[{"lang":"en","time":"2026-01-10T04:01:55.424Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-01-10T02:41:22.741Z","value":"Made public."}],"title":"react-router: React Router has Path Traversal in File Session Storage","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"product":"react-router","vendor":"remix-run","versions":[{"status":"affected","version":"@react-router/node >= 7.0.0, < 7.9.4"},{"status":"affected","version":"@remix-run/deno < 2.17.2"},{"status":"affected","version":"@remix-run/node < 2.17.2"}]}],"descriptions":[{"lang":"en","value":"React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-01-10T02:41:22.741Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw","tags":["x_refsource_CONFIRM"],"url":"https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw"}],"source":{"advisory":"GHSA-9583-h5hc-x8cw","discovery":"UNKNOWN"},"title":"React Router has Path Traversal in File Session Storage"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2025-61686","datePublished":"2026-01-10T02:41:22.741Z","dateReserved":"2025-09-29T20:25:16.182Z","dateUpdated":"2026-06-27T04:05:15.285Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-01-10 03:15:48","lastModifiedDate":"2026-06-27 05:16:40","problem_types":["CWE-22","CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-01-12T13:58:36.773708Z","id":"CVE-2025-61686","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:shopify:react-router\\/node:*:*:*:*:*:node.js:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.9.4","matchCriteriaId":"1E0C856C-476D-482F-8047-7F4D5F0B4204"},{"vulnerable":true,"criteria":"cpe:2.3:a:shopify:remix-run\\/deno:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2.17.2","matchCriteriaId":"B47283CD-6965-448D-98CA-2A1BEED89A74"},{"vulnerable":true,"criteria":"cpe:2.3:a:shopify:remix-run\\/node:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2.17.2","matchCriteriaId":"C506FB64-B70B-40CF-8A14-C7BA394D1814"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"61686","Ordinal":"1","Title":"React Router has Path Traversal in File Session Storage","CVE":"CVE-2025-61686","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"61686","Ordinal":"1","NoteData":"React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.","Type":"Description","Title":"React Router has Path Traversal in File Session Storage"}]}}}