Description
If applications use createFileSessionStorage() from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory.
Recommendation
Update the @remix-run/deno package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.17.1
- Patched version(s): 2.17.2
References
Related Issues
- React Router has Path Traversal in File Session Storage (GHSA-9583-h5hc-x8cw) - CVE-2025-61686
- jsPDF has Local File Inclusion/Path Traversal vulnerability - CVE-2025-68428
- Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival - CVE-2025-59414
- ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction - CVE-2026-32731
- Tags:
- npm
- @remix-run/deno
Anything's wrong? Let us know Last updated on January 11, 2026