Critical flaws in React Router that let attackers access or change server files through directory traversal have been found by security experts.
The vulnerabilities have a CVSS v3 score of 9.8, indicating critical severity, and they impact several packages in the React Router ecosystem.
When using unsigned cookies, the createFileSessionStorage() function has a major vulnerability (listed as CVE-2025-61686).
To have the program read or write files outside of the specified session directory, attackers can tamper with session cookies.
reading files that fit the requirements for the session file format. changing session data that the application logic might return.
Depending on server permissions, it may be possible to read sensitive configuration files. File system access controls and web server process permissions determine how effective the attack is.
By incorporating appropriate path validation and sanitization into the session storage infrastructure, the security patch resolves the directory traversal issue.
Organizations utilizing impacted versions of React Router should update to patched versions right away, according to the GitHub Advisory. Examine the access controls and permissions for server files.
Check for the use of unsigned cookies in session storage implementations. Keep an eye out for questionable session cookie patterns. When possible, impose more file-system limitations.
