React Router createFileSessionStorage path traversal before 7.9.4/2.17.2
CVE-2025-61686 Published on January 10, 2026

React Router has Path Traversal in File Session Storage
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.

Github Repository NVD

Vulnerability Analysis

CVE-2025-61686 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2025-61686 has been classified to as a Directory traversal vulnerability or weakness.


Products Associated with CVE-2025-61686

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Cryostat
 
Red Hat Gatekeeper
 
Red Hat Logging
 
Red Hat Migration Toolkit Applications
 
Red Hat Rhmt
 
Red Hat Migration Toolkit Virtualization
 
Red Hat Multicluster Engine
 
Red Hat Network Observ Optr
 
Red Hat Workload Availability Nhc
 
Red Hat Openshift Lightspeed
 
Red Hat Openshift Pipelines
 
Red Hat Service Mesh
 
Red Hat Acm
 
Red Hat Advanced Cluster Security
 
Red Hat Ansible Automation Platform
 
Red Hat Apache Camel Hawtio
 
Red Hat Service Registry
 
Red Hat Kueue Operator
 
Red Hat Optaplanner
 
Red Hat Connectivity Link
 
Red Hat Jboss Data Grid
 
Red Hat Rhdh
 
Red Hat Discovery
 
Red Hat Edge Manager
 
Red Hat Enterprise Linux (RHEL)
 
Red Hat Jboss Fuse
 
Red Hat Jboss Enterprise Application Platform
 
Red Hat Jbosseapxp
 
Red Hat Openshift Ai
 
Red Hat Openshift
 
Red Hat Openshift Data Foundation
 
Red Hat Openshift Devspaces
 
Red Hat Openshift Distributed Tracing
 
Red Hat Openshift Gitops
 
Red Hat Container Native Virtualization
 
Red Hat Jboss Enterprise Bpms Platform
 
Red Hat Quay
 
Red Hat Satellite
 
Red Hat Single Sign On
 
Red Hat Trusted Artifact Signer
 
Red Hat Trusted Profile Analyzer
 

Affected Versions

remix-run react-router: Red Hat Cryostat 4: Red Hat Gatekeeper 3: Logging Subsystem for Red Hat OpenShift: Red Hat Migration Toolkit for Applications 7: Red Hat Migration Toolkit for Applications 8: Red Hat Migration Toolkit for Containers: Red Hat Migration Toolkit for Virtualization: Red Hat Multicluster Engine for Kubernetes: Red Hat Network Observability Operator: Red Hat Node HealthCheck Operator: Red Hat OpenShift Lightspeed: Red Hat OpenShift Pipelines: Red Hat OpenShift Service Mesh 2: Red Hat OpenShift Service Mesh 3: Red Hat Advanced Cluster Management for Kubernetes 2: Red Hat Advanced Cluster Security 4: Red Hat Ansible Automation Platform 2: Red Hat build of Apache Camel - HawtIO 4: Red Hat build of Apicurio Registry 2: Red Hat Build of Kueue: Red Hat build of OptaPlanner 8: Red Hat Connectivity Link 1: Red Hat Data Grid 8: Red Hat Developer Hub: Red Hat Discovery 2: Red Hat Edge Manager 1: Red Hat Edge Manager preview: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Fuse 7: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat OpenShift AI (RHOAI): Red Hat OpenShift Container Platform 4: Red Hat Openshift Data Foundation 4: Red Hat OpenShift Dev Spaces: Red Hat OpenShift distributed tracing 3: Red Hat OpenShift GitOps: Red Hat OpenShift Virtualization 4: Red Hat Process Automation 7: Red Hat Quay 3: Red Hat Satellite 6: Red Hat Single Sign-On 7: Red Hat Trusted Artifact Signer: Red Hat Trusted Profile Analyzer:

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-61686

Package Manager Vulnerable Package Versions Fixed In
npm @remix-run/deno <= 2.17.1 2.17.2
npm @remix-run/node <= 2.17.1 2.17.2
npm @react-router/node >= 7.0.0, <= 7.9.3 7.9.4

Exploit Probability

EPSS
14.80%
Percentile
96.26%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.