Security Assessment: CVE-2025-61686 - Repository Not Affected

[Copilot]

CVE-2025-61686 is a critical (CVSS 9.8) React Router vulnerability enabling directory traversal attacks via createFileSessionStorage() with unsigned cookies. Affects @react-router/node 7.0.0-7.9.3, @remix-run/node ≤2.17.1, and @remix-run/deno ≤2.17.1.

Assessment Result

Repository is NOT vulnerable. Uses Next.js 16.1.0 with built-in routing, not React Router/Remix.

Changes

• Added SECURITY_ASSESSMENT.md: Documents vulnerability details, verification methodology, and findings for future reference
• Verification performed:
  • No vulnerable packages in direct dependencies
  • No vulnerable packages in transitive dependencies
  • Confirmed via npm list --all and package-lock.json analysis

Technical Context

# Verification commands executed
npm list --all 2>&1 | grep -iE "react-router|remix"
# Result: No React Router or Remix dependencies found

The application uses next-auth for session management, not the vulnerable createFileSessionStorage() function from React Router.

Original prompt

Critical React Router Vulnerability Let Attackers Access or Modify Server Files
React Router Vulnerability

Security researchers have identified critical vulnerabilities in React Router that allow attackers to access or modify server files via directory traversal.

The flaws affect multiple packages within the React Router ecosystem and carry a CVSS v3 score of 9.8, classifying them as critical severity.

CVE ID Severity Attack Vector Flaw Type
CVE-2025-61686 Critical (9.8) Network Remote Code Execution / DoS
Unauthorized File Access Vulnerability
The primary vulnerability, tracked as CVE-2025-61686, exists in the createFileSessionStorage() function when used with unsigned cookies.

Attackers can manipulate session cookies to force the application to read or write files outside the designated session directory.

Multiple packages within the React Router and Remix ecosystem are impacted:

Package Name Affected Versions
@react-router/node 7.0.0 through 7.9.3
@remix-run/deno 2.17.1 and earlier
@remix-run/node 2.17.1 and earlier
The vulnerability enables directory traversal attacks through malicious session cookies.

While attackers cannot directly retrieve file contents, successful exploitation allows:

Reading files that match session file format specifications. Modifying session data that could be returned by application logic.

Potentially accessing sensitive configuration files depending on server permissions. The attack’s effectiveness depends on web server process permissions and file system access controls.

Developers must immediately upgrade to patched versions:

Package Name Safe Version (Fixed)
@react-router/node 7.9.4 or later
@remix-run/deno 2.17.2 or later
@remix-run/node 2.17.2 or later
The security patch addresses the directory traversal vulnerability by implementing proper path validation and sanitization within the session storage mechanism.

According to the GitHub Advisory, organizations using affected versions of React Router should immediately upgrade to patched versions. Review server file permissions and access controls.

Audit session storage implementations for unsigned cookie usage. Monitor for suspicious session cookie patterns. Implement additional file-system restrictions where feasible.

Fix these if affected

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.