SB2026061986 - Path traversal in Remix Run
Published: June 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Path traversal (CVE-ID: CVE-2025-61686)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to access and modify unintended files.
The vulnerability exists due to improper path restriction in createFileSessionStorage() when processing session data from an unsigned cookie. A remote attacker can supply a crafted cookie value to access and modify unintended files.
Successful exploitation depends on the web server process having permission to access the targeted files. Read data is not returned directly and file reads only succeed if the targeted file matches the expected session file format.
Remediation
Install update from vendor's website.