
We found results for “”
CVE-2025-31137
Good to know:

Date: April 1, 2025
React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.
Severity Score
Severity Score
Weakness Type (CWE)
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-444Top Fix

Upgrade Version
Upgrade to version @react-router/express - 7.4.1;@react-router/express - 7.4.1;@remix-run/express - 2.16.3;@remix-run/express - 2.16.3
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | NONE |
Integrity (I): | NONE |
Availability (A): | HIGH |