React Router has Path Traversal in File Session Storage (GHSA-9583-h5hc-x8cw)

Severity:: High

Description

If applications use createFileSessionStorage() from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory.

Recommendation

Update the @remix-run/node package to the latest compatible version. Followings are version details:

Affected version(s): <= 2.17.1
Patched version(s): 2.17.2

References

GHSA-9583-h5hc-x8cw
CVE-2025-61686
CWE-22
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

React Router has Path Traversal in File Session Storage - CVE-2025-61686
jsPDF has Local File Inclusion/Path Traversal vulnerability - CVE-2025-68428
React Router has XSS Vulnerability - CVE-2025-59057
Rollup 4 has Arbitrary File Write via Path Traversal - CVE-2026-27606

Tags:: npm; @remix-run/node

Anything's wrong? Let us know Last updated on January 11, 2026