CVE ID: CVE-2025-61686
Product: React Router / Remix (Node runtime)
Affected Component: createFileSessionStorage()
Vulnerability Type: Path Traversal (CWE-22)
CVSS v3 Score: 9.1 – Critical
Severity: Critical
Attack Vector: Network
Privileges Required: None
User Interaction: None
Exploitability: High
Exploit Availability: Conceptual PoC possible
Impact: Server-side session compromise, arbitrary file overwrite, service disruption, potential remote code execution depending on environment
Executive Summary
CVE-2025-61686 is a critical server-side vulnerability in React Router’s file-based session storage mechanism. Applications using createFileSessionStorage() allow user-controlled session identifiers to be directly mapped to file paths on disk. Because these session identifiers are not strictly validated or required to be cryptographically signed, an attacker can manipulate them to escape the intended session directory.
This enables path traversal, allowing the attacker to write files outside the session storage directory. While arbitrary file reads are limited by file format handling, arbitrary file writes are possible, which makes this vulnerability particularly dangerous.
In real-world deployments, this can lead to:
- Session poisoning
- Overwriting application files
- Dropping malicious scripts
- Application crashes
- Escalation to remote code execution under certain configurations
Affected Versions
- React Router Node adapter versions 7.0.0 through 7.9.3
- Remix applications that rely on the same file-based session storage logic
Patched Versions
- React Router Node 7.9.4
- Remix Node / Deno 2.17.2
Root Cause Analysis
The vulnerability exists because:
- Session identifiers come from client-controlled data (cookies or headers).
- These identifiers are directly used to construct filenames.
- No strict validation, canonicalization, or signing is enforced.
- Path traversal sequences (
../, URL-encoded variants) are not blocked. - The resolved file path is not guaranteed to remain within the intended session directory.
This violates a core secure-coding rule: never trust user input for filesystem paths.
How Exploitation Works
- The attacker sends a request to a vulnerable application.
- The request includes a crafted session cookie such as:
session=../../../../var/www/app/config.jsonor URL-encoded variants:session=..%2F..%2F..%2F..%2Fvar%2Fwww%2Fapp%2Fconfig.json - The application resolves this value into a file path.
- The server writes session data to the resolved location.
- The attacker has now overwritten a file outside the session store.
Depending on what file is overwritten and what permissions the Node.js process has, the attacker may:
- Break authentication logic
- Inject malicious configuration
- Plant executable code
- Cause denial of service
Proof-of-Concept (Educational Use Only)
⚠️ The following is conceptual and intended strictly for educational and defensive understanding.
Example malicious request
GET / HTTP/1.1
Host: vulnerable-app.example
Cookie: session=../../../../tmp/malicious-session
If the server process can write to /tmp, a new file will be created or overwritten with session data. More dangerous targets exist in real environments.
Why This Is Especially Dangerous
- The attack requires no authentication
- It works before login
- It targets server-side state
- File writes are often enough to chain into full compromise
- Many production apps use default session storage without review
Detection & Monitoring Guidance
What to Look for in Logs
HTTP Access Logs
- Session cookie values containing:
../%2e%2e%2f- Absolute paths (
/etc/,/var/,C:\)
Application Logs
- Errors related to:
- File open/write failures
- Unexpected session file paths
- Stack traces mentioning session storage
System / OS Logs
- Unexpected file creation or modification
- Writes to configuration or application directories
- Permission errors triggered by traversal attempts
Detection Logic
SIEM / Log Rule Concept
Trigger alerts when:
- A request contains traversal patterns in cookies
- AND the application writes a file within the next few seconds
- AND the file path is outside the expected session directory
High-Risk Indicators
- Session file paths resolving outside:
/sessions/ /tmp/sessions/ - Repeated traversal attempts from the same IP
- Session identifiers that are unusually long or path-like
MITRE Mapping
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory
- CAPEC-126: Path Traversal
- ATT&CK (Post-Exploitation Possibilities):
- File Discovery
- File Modification
- Persistence via file overwrite
Mitigation & Hardening Recommendations
Immediate Actions
- Upgrade immediately
- This vulnerability is fully fixed in patched versions.
- Avoid file-based session storage
- Use Redis, database-backed sessions, or signed cookies.
- Enforce signed session identifiers
- Reject any unsigned or malformed session ID.
Additional Hardening
- Run Node.js with least privilege
- Prevent write access to sensitive directories
- Enable file integrity monitoring
- Containerize the application where possible
- Validate all session identifiers against strict allowlists
Incident Response Checklist
If exploitation is suspected:
- Identify requests with traversal patterns
- Review recently modified files
- Compare file hashes against known-good versions
- Rotate all active sessions
- Re-deploy clean application artifacts
- Patch before restoring service
Official Patch / Upgrade Link
👉 Official React Router Security Advisory & Patch:
https://github.com/remix-run/react-router/security/advisories
Final Takeaway
CVE-2025-61686 is a high-impact, low-complexity vulnerability that allows attackers to manipulate server-side files through a trusted session mechanism. Any exposed application using file-based session storage without the patch should be considered at immediate risk.
Patching is not optional — it is urgent.
