CVE-2025-61686 is a critical path traversal vulnerability (CWE-22) found in the React Router and Remix Run frameworks, specifically in versions @react-router/node 7.0.0 through 7.9.3, @remix-run/deno prior to 2.17.2, and @remix-run/node prior to 2.17.2. The vulnerability occurs when the createFileSessionStorage() function is used with unsigned cookies, allowing an attacker to manipulate the pathname used for session file storage. This manipulation enables the session mechanism to read from or write to files outside the designated session directory. The attack's success depends on the file system permissions granted to the web server process. Although direct file content disclosure to the attacker is not possible, if the targeted file matches the expected session file format, its data can be loaded into the server-side session. This could lead to unauthorized modification of session state or influence application logic if the application exposes session data. The vulnerability requires no privileges or user interaction, making it highly exploitable remotely. The issue was addressed by patches released in @react-router/node 7.9.4 and @remix-run/deno and @remix-run/node 2.17.2. No known exploits are reported in the wild as of now.

The vulnerability poses a significant risk to organizations using affected versions of React Router and Remix Run frameworks, especially those relying on file-based session storage with unsigned cookies. Successful exploitation can lead to unauthorized modification of session data, potentially allowing attackers to escalate privileges, bypass authentication, or manipulate application state. Although direct file disclosure is limited, the ability to write outside the intended directory can facilitate further attacks, such as injecting malicious session data or corrupting session files, potentially causing denial of service or enabling further compromise. Given the widespread use of React Router and Remix Run in modern web applications, this vulnerability could impact a broad range of industries including technology, finance, healthcare, and e-commerce. The lack of required authentication and user interaction increases the risk of automated exploitation attempts. Organizations failing to patch may face data integrity issues, service disruptions, and reputational damage.

Organizations should immediately upgrade to patched versions: @react-router/node 7.9.4 or later, and @remix-run/deno and @remix-run/node 2.17.2 or later. Review and audit session management configurations to avoid using unsigned cookies with file-based session storage. Implement strict file system permissions to limit the web server process's access only to necessary directories, minimizing the impact of potential path traversal. Employ input validation and sanitization to ensure session file paths cannot be manipulated by user input. Consider migrating to alternative session storage mechanisms that do not rely on file system paths, such as in-memory or database-backed stores. Monitor application logs for unusual session file access patterns or errors indicating path traversal attempts. Conduct penetration testing focused on session management and path traversal vectors to verify mitigation effectiveness. Maintain an incident response plan to quickly address any exploitation attempts.