PatchSiren cyber security CVE debrief
CVE-2025-61686 remix-run CVE debrief
CVE-2025-61686 is a critical vulnerability in React Router, a popular router for React applications. The vulnerability affects versions 7.0.0 through 7.9.3 of @react-router/node, and prior versions of @remix-run/deno and @remix-run/node. An attacker can exploit this vulnerability to cause the session to try to read/write from a location outside the specified session file directory, potentially leading to unauthorized access to sensitive data. The success of the attack depends on the permissions of the web server process. Read files cannot be returned directly to the attacker, but session file reads can succeed if the file matches the expected session file format. The data would be populated into the server-side session but not directly returned to the attacker unless the application logic returns specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.
- Vendor
- remix-run
- Product
- react-router
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-10
- Original CVE updated
- 2026-06-27
- Advisory published
- 2026-01-10
- Advisory updated
- 2026-06-27
Who should care
Developers and administrators using React Router in their applications should be aware of this critical vulnerability. The vulnerability can lead to unauthorized access to sensitive data, and attackers can exploit it to gain access to session files. Shopify, as the vendor, has provided patches for the affected versions.
Technical summary
The vulnerability is caused by the use of an unsigned cookie in createFileSessionStorage() from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2). This allows an attacker to manipulate the session file directory, potentially leading to unauthorized access to sensitive data. The vulnerability has a CVSS score of 9.1 and is classified as CRITICAL. The affected versions are @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2.
Defensive priority
This vulnerability has a high defensive priority due to its critical CVSS score and potential impact on sensitive data. Administrators and developers should prioritize patching the affected versions to prevent exploitation.
Recommended defensive actions
- Upgrade @react-router/node to version 7.9.4 or later
- Upgrade @remix-run/deno to version 2.17.2 or later
- Upgrade @remix-run/node to version 2.17.2 or later
- Review application logic to ensure sensitive session information is not returned to attackers
- Monitor session files for unauthorized access
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, its impact, and the affected versions. The source item URL provides additional information on the vulnerability, including references to mitigation and vendor references.
Official resources
-
CVE-2025-61686 CVE record
CVE.org
-
CVE-2025-61686 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.