Skip to content

[GHSA-9583-h5hc-x8cw] React Router has Path Traversal in File Session Storage #6749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ivanm696 wants to merge 1 commit into from
Closed

[GHSA-9583-h5hc-x8cw] React Router has Path Traversal in File Session Storage #6749

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions advisories/github-reviewed/2026/01/GHSA-9583-h5hc-x8cw/GHSA-9583-h5hc-x8cw.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
{
"schema_version": "1.4.0",
"id": "GHSA-9583-h5hc-x8cw",
"modified": "2026-01-11T14:53:54Z",
"modified": "2026-01-11T14:53:55Z",
"published": "2026-01-08T20:45:07Z",
"aliases": [
"CVE-2025-61686"
],
"summary": "React Router has Path Traversal in File Session Storage",
"details": "If applications use `createFileSessionStorage()` from `@react-router/node` (or `@remix-run/node`/`@remix-run/deno` in Remix v2) with an [**unsigned cookie**](https://reactrouter.com/explanation/sessions-and-cookies#signing-cookies), it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. \n\nRead files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information.",
"details": "If applications use `createFileSessionStorage()` from `@react-router/node` (or `@remix-run/node`/`@remix-run/deno` in Remix v2) with an [**unsigned cookie**](https://reactrouter.com/explanation/sessions-and-cookies#signing-cookies), it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. \n\nRead files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information.\npnpm update @remix-run/node@2.17.2 @remix-run/react@2.17.2 @remix-run/serve@2.17.2 --latest",
"severity": [
{
"type": "CVSS_V3",
Expand Down
Loading