Critical directory traversal vulnerability reported in React Router and Remix
Take action: If you are using createFileSessionStorage in React Router and Remix, this is important and urgent. Check if you are using signed cookies for session storage. If not, change that ASAP, and update packages to the latest versions immediately. Ideally, limit file system permissions of your web server process to the bare minimum.
Learn More
React Router and Remix developers report a security flaw that allows attackers to reach files outside intended directories. The bug is caused by from how the software handles session storage on the server. If a developer uses unsigned cookies with specific storage functions, an attacker can trick the system into looking at different parts of the file system. This flaw puts server integrity and data at risk if the web server process has broad permissions.
The flaw is tracked as CVE-2025-61686 (CVSS score 9.8), lives in the createFileSessionStorage() function. Attackers send malicious session cookies to trigger a directory traversal. This lets them read or write files that the web server process can touch. While the system does not send file contents back to the attacker directly, it can load sensitive settings into the application's memory or corrupt session data.
Example:
Vulnerable Server Code
import { createFileSessionStorage } from "@react-router/node";
const sessionStorage = createFileSessionStorage({
dir: "/var/www/sessions",
cookie: {
name: "session"
// Missing: secrets property (VULNERABLE!)
}
});
app.get("/dashboard", async (req, res) => {
const session = await sessionStorage.getSession(req.headers.cookie);
const user = session.get("userId");
res.json({ user });
});Exploit 1: Read Application Secrets
curl https://victim-site.com/dashboard \ -H "Cookie: session=../../../app/.env"Result: Server reads /app/.env file containing database passwords and API keys into memory.
Exploit 2: Hijack Admin Session
curl https://victim-site.com/dashboard \ -H "Cookie: session=admin_session_xyz"Result: Attacker loads admin's session data and gains administrative access to the application.
Affected packages include:
- @react-router/node versions 7.0.0 through 7.9.3
- @remix-run/deno versions 2.17.1 and older
- @remix-run/node versions 2.17.1 and older
The success of an attack depends on the permissions of the web server. If the server runs with high privileges, an attacker might modify critical system files or session data. This could lead to a system takeover or data corruption. Even if the attacker cannot see the files, they can break how the application works by changing session states. This makes the flaw a high risk for applications handling sensitive user data.
Developers should update their packages as soon as possible. Patched versions include @react-router/node 7.9.4 and @remix-run 2.17.2.
Beyond patching, teams should audit their code to ensure they use signed cookies for all session storage. Restricting file system permissions for the web server process also helps limit the damage.
