Summary
React Router and Remix released patches for a critical directory traversal vulnerability, CVE-2025-61686, which allows attackers to read or write server files via unsigned session cookies.
Take Action:
If you are using createFileSessionStorage in React Router and Remix, this is important and urgent. Check if you are using signed cookies for session storage. If not, change that ASAP, and update packages to the latest versions immediately. Ideally, limit file system permissions of your web server process to the bare minimum.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)