Critical React Router Flaws Could Let Attackers Access or Modify Server Files

Vulnerability Overview

The security issue stems from improper handling of unsigned cookies in the createFileSessionStorage() function.

When developers use unsigned cookies to manage user sessions, attackers can craft malicious session cookies containing directory traversal sequences (such as ../) to read and write files outside the intended session directory.

The vulnerability impacts the following packages:

• @react-router/node (versions 7.0.0 to 7.9.3)
• @remix-run/node (versions up to 2.17.1)
• @remix-run/deno (versions up to 2.17.1)

An attacker exploiting this vulnerability could potentially access sensitive files on the server, including configuration files, source code, or other critical system data.

The success of such attacks depends on the file system permissions granted to the web server process.

However, there are significant limitations. Attackers cannot directly read arbitrary files through the application.

Instead, they must craft session cookies that reference files matching the expected session file format.

If a matching file is found, its data gets loaded into the server-side session, which could then be exposed through standard application logic, as reported by GitHub.

Additionally, attackers can write malicious data to files outside the intended directory, potentially enabling code execution or system compromise if critical configuration or executable files are overwritten.

Developers using affected packages should upgrade immediately to the patched versions:

• @react-router/node: Update to version 7.9.4 or higher
• @remix-run/node: Update to version 2.17.2 or higher
• @remix-run/deno: Update to version 2.17.2 or higher

The most effective mitigation is implementing signed cookies, which cryptographically verify session integrity and prevent attackers from modifying cookie contents.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.