React Router has Path Traversal in File Session Storage - @remix-run/node

Description

If applications use createFileSessionStorage() from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory.

Recommendation

Update the @remix-run/node package to the latest compatible version. Followings are version details:

• Affected version(s): <= 2.17.1
• Patched version(s): 2.17.2

References

• GHSA-9583-h5hc-x8cw
• CVE-2025-61686
• CWE-22
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• React Router has Path Traversal in File Session Storage - CVE-2025-61686
• jsPDF has Local File Inclusion/Path Traversal vulnerability - CVE-2025-68428
• Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers - CVE-2025-31137
• Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read - CVE-2026-40163

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@remix-run/node