Description
If applications use createFileSessionStorage() from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory.
Recommendation
Update the @remix-run/deno package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.17.1
- Patched version(s): 2.17.2
References
Related Issues
- fast-xml-parser has RangeError DoS Numeric Entities Bug - CVE-2026-25128
- DOMPurify vulnerable to tampering by prototype polution - CVE-2024-48910
- cors-anywhere vulnerable to server-side request forgery - CVE-2020-36851
- [email protected] contains malware after npm account takeover - CVE-2025-59144
- Tags:
- npm
- @remix-run/deno
Anything's wrong? Let us know Last updated on January 11, 2026