React Router has Path Traversal in File Session Storage (GHSA-9583-h5hc-x8cw)
- Severity:
- High
Description
If applications use createFileSessionStorage() from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory.
Recommendation
Update the @remix-run/node package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.17.1
- Patched version(s): 2.17.2
References
Related Issues
- Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package - CVE-2025-68619
- tiny-secp256k1 allows for verify() bypass when running in bundled environment - CVE-2024-49365
- Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) - CVE-2025-27597
- google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability - CVE-2023-48711
- Tags:
- npm
- @remix-run/node
Anything's wrong? Let us know Last updated on January 11, 2026