Security researchers have identified critical vulnerabilities in React Router that allow attackers to access or modify server files via directory traversal.
The flaws affect multiple packages within the React Router ecosystem and carry a CVSS v3 score of 9.8, classifying them as critical severity.
CVE IDSeverityAttack VectorFlaw TypeCVE-2025-61686Critical (9.8)NetworkRemote Code Execution / DoS
Unauthorized File Access Vulnerability
The primary vulnerability, tracked as CVE-2025-61686, exists in the createFileSessionStorage() function when used with unsigned cookies.
Attackers can manipulate session cookies to force the application to read or write files outside the designated session directory.
Multiple packages within the React Router and Remix ecosystem are impacted:
Package NameAffected Versions@react-router/node7.0.0 through 7.9.3@remix-run/deno2.17.1 and earlier@remix-run/node2.17.1 and earlier
The vulnerability enables directory traversal attacks through malicious session cookies.
While attackers cannot directly retrieve file contents, successful exploitation allows:
Reading files that match session file format specifications. Modifying session data that could be returned by application logic.
Potentially accessing sensitive configuration files depending on server permissions. The attack’s effectiveness depends on web server process permissions and file system access controls.
Developers must immediately upgrade to patched versions:
Package NameSafe Version (Fixed)@react-router/node7.9.4 or later@remix-run/deno2.17.2 or later@remix-run/node2.17.2 or later
The security patch addresses the directory traversal vulnerability by implementing proper path validation and sanitization within the session storage mechanism.
According to the GitHub Advisory, organizations using affected versions of React Router should immediately upgrade to patched versions. Review server file permissions and access controls.
Audit session storage implementations for unsigned cookie usage. Monitor for suspicious session cookie patterns. Implement additional file-system restrictions where feasible.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical React Router Vulnerability Let Attackers Access or Modify Server Files appeared first on Cyber Security News.
