SB2026061982 - Path traversal in React Router



SB2026061982 - Path traversal in React Router

Published: June 19, 2026

Security Bulletin ID SB2026061982
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Path traversal (CVE-ID: CVE-2025-61686)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to access and modify unintended files.

The vulnerability exists due to improper path restriction in createFileSessionStorage() when processing session data from an unsigned cookie. A remote attacker can supply a crafted cookie value to access and modify unintended files.

Successful exploitation depends on the web server process having permission to access the targeted files. Read data is not returned directly and file reads only succeed if the targeted file matches the expected session file format.


Remediation

Install update from vendor's website.