top of page
perceptive_background_267k.jpg

React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to ve…

Published:

9 January 2026 at 23:00:00

Alert date:

10 January 2026 at 13:10:58

Source:

nvd.nist.gov

Click to open the original link from this advisory

CVE-2025-61686 affects React Router and Remix packages where createFileSessionStorage() with unsigned cookies allows attackers to read/write files outside the intended session directory. The vulnerability impacts @react-router/node versions 7.0.0-7.9.3, @remix-run/deno prior to 2.17.2, and @remix-run/node prior to 2.17.2. Successful exploitation depends on web server permissions and file format matching. While files cannot be directly returned to attackers, session data could be populated on the server side. The issue has been patched in @react-router/node 7.9.4, @remix-run/deno 2.17.2, and @remix-run/node 2.17.2.

Technical details

Mitigation steps:

Affected products:

React Router
@react-router/node
@remix-run/deno
@remix-run/node

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-61686
https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page