Main Vulnerability Database Vulnerabilities #VU134930

Path traversal in React Router - CVE-2025-61686

Published: June 19, 2026

Vulnerability identifier: #VU134930

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-61686

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Remix

Affected software:
React Router

Detailed vulnerability description

The vulnerability allows a remote attacker to access and modify unintended files.

The vulnerability exists due to improper path restriction in createFileSessionStorage() when processing session data from an unsigned cookie. A remote attacker can supply a crafted cookie value to access and modify unintended files.

Successful exploitation depends on the web server process having permission to access the targeted files. Read data is not returned directly and file reads only succeed if the targeted file matches the expected session file format.

How to mitigate CVE-2025-61686

Install security update from vendor's website.

Sources

https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw

Path traversal in React Router - CVE-2025-61686

Detailed vulnerability description

How to mitigate CVE-2025-61686

Sources

Please verify you're human