Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

Description

We received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter.

Recommendation

Update the @remix-run/express package to the latest compatible version. Followings are version details:

• Affected version(s): >= 2.11.1, < 2.16.3
• Patched version(s): 2.16.3

References

• GHSA-4q56-crqp-v477
• CVE-2025-31137
• CWE-444
• CAPEC-310
• OWASP 2021-A4
• OWASP 2021-A6

Related Issues

• Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass - CVE-2025-64525
• tarteaucitron.js allows UI manipulation via unrestricted CSS injection - CVE-2025-31138
• React Router has Path Traversal in File Session Storage - CVE-2025-61686
• React Router has Path Traversal in File Session Storage (GHSA-9583-h5hc-x8cw) - CVE-2025-61686

Tags:

npm

@remix-run/express