CVE-2025-31137

Published: Apr 1, 2025

Modified: Apr 2, 2025

PUBLISHED

CVSS v3.0

7.5

HIGH

Description

React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.

Vendor	Product	Versions
remix-run	react-router	affected `>= 7.0.0, < 7.4.1` affected `>= 2.11.1, < 2.16.3`

Weaknesses (CWE)

CWE-444

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/remix-run/react-router/security/advisories/GHSA-4q56-crqp-v477

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-31137

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References