Ddos 
Developers relying on the popular React Router library are being urged to patch their applications immediately following the disclosure of multiple high-severity vulnerabilities. The flaws, ranging from unauthorized file access to Cross-Site Scripting (XSS), threaten the integrity of web applications using both the react-router and @remix-run ecosystems.
The most critical of the bunch, tracked as CVE-2025-61686, carries a devastating CVSS score of 9.1. This vulnerability strikes at the heart of session management, potentially allowing attackers to breach the server’s file system.
According to the security advisory, the flaw resides in the createFileSessionStorage() method used in @react-router/node and legacy Remix packages. The issue arises when applications utilize unsigned cookies for session storage.
“If you are using createFileSessionStorage() … with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory,” the report states .
While the vulnerability doesn’t immediately dump file contents to the attacker, it creates a dangerous primitive. If the attacker can manipulate the session ID to point to a sensitive file (like a configuration file) that matches the session format, that data could be populated into the server-side session and potentially exposed by the application logic .
Affected Versions:
- @react-router/node: 7.0.0 through 7.9.3
- @remix-run/deno: <= 2.17.1
The update also addresses three separate high-severity XSS flaws that could allow attackers to execute malicious scripts:
- Meta Component XSS (CVE-2025-59057): Rated CVSS 7.6, this vulnerability exists in the API “when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag”.
- ScrollRestoration XSS: With a CVSS of 8.2, this flaw targets the <ScrollRestoration> API. “A XSS vulnerability exists … when using the getKey/storageKey props during Server-Side Rendering”.
- Open Redirect XSS (CVE-2026-22029): Rated CVSS 8.0, this issue affects Single Page Application (SPA) navigation. “SPA open navigation redirects originating from loaders or actions … can result in unsafe URLS causing unintended javascript execution on the client”.
Rounding out the patch list are two medium-severity logic flaws:
- CSRF Vulnerability (CVE-2026-22030): React Router is vulnerable to Cross-Site Request Forgery (CSRF) on document POST requests “when using server-side route action handlers in Framework Mode”.
- External Redirects (CVE-2025-68470): “An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL”.
These vulnerabilities heavily impact users of @remix-run packages and react-router in Framework Mode. Users are advised to verify their versions against the advisory, as “this does not impact your application if you are using Declarative Mode (<Browser Router>) or Data Mode” for several of the listed CVEs.
Patches have been released across the board, with safe versions generally starting at 7.12.0 or 7.9.6 for the main router package, depending on the specific vulnerability addressed.
Donate