CVE-2025-31137 HIGH

CVE-2025-31137: Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

Vendor Remix-Run
Product react-router
Weakness CWE-444
Published April 1, 2025
Last update April 2, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.

Key dates

02Disclosure timeline

April 1, 2025 CVE published
April 2, 2025 Record updated