Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers
- Severity:
- High
Description
We received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter.
Recommendation
Update the @remix-run/express package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.11.1, < 2.16.3
- Patched version(s): 2.16.3
References
Related Issues
- Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass - CVE-2025-64525
- webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior - CVE-2025-68458
- React Router has XSS Vulnerability - CVE-2025-59057
- React Router has Path Traversal in File Session Storage (GHSA-9583-h5hc-x8cw) - CVE-2025-61686
- Tags:
- npm
- @remix-run/express
Anything's wrong? Let us know Last updated on April 01, 2025