Critical React Router Vulnerability Let Attackers Access or Modify Server Files

Security researchers have identified critical vulnerabilities in React Router that allow attackers to access or modify server files via directory traversal.

The flaws affect multiple packages within the React Router ecosystem and carry a CVSS v3 score of 9.8, classifying them as critical severity.

Unauthorized File Access Vulnerability

The primary vulnerability, tracked as CVE-2025-61686, exists in the createFileSessionStorage() function when used with unsigned cookies.

Attackers can manipulate session cookies to force the application to read or write files outside the designated session directory.

Multiple packages within the React Router and Remix ecosystem are impacted:

The vulnerability enables directory traversal attacks through malicious session cookies.

While attackers cannot directly retrieve file contents, successful exploitation allows:

Reading files that match session file format specifications. Modifying session data that could be returned by application logic.

Potentially accessing sensitive configuration files depending on server permissions. The attack’s effectiveness depends on web server process permissions and file system access controls.

Developers must immediately upgrade to patched versions:

The security patch addresses the directory traversal vulnerability by implementing proper path validation and sanitization within the session storage mechanism.

According to the GitHub Advisory, organizations using affected versions of React Router should immediately upgrade to patched versions. Review server file permissions and access controls.

Audit session storage implementations for unsigned cookie usage. Monitor for suspicious session cookie patterns. Implement additional file-system restrictions where feasible.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.