CVE-2025-61686 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, or Path Traversal) affecting the React Router and Remix Run frameworks used in JavaScript/TypeScript web applications. The flaw exists in the createFileSessionStorage() function within @react-router/node (versions 7.0.0 through 7.9.3), @remix-run/deno (prior to 2.17.2), and @remix-run/node (prior to 2.17.2). When an unsigned cookie is used, an attacker can manipulate the session storage path to read or write files outside the designated session directory. This occurs because the pathname is not properly sanitized or restricted, allowing traversal sequences (e.g., ../) to escape the intended directory boundaries. The vulnerability depends on the web server process permissions; if the server has access to sensitive files, these could be accessed or overwritten. However, direct file content disclosure to the attacker is not possible unless the file matches the expected session file format, in which case the data could be loaded into the server-side session. This could lead to session poisoning or denial of service by corrupting session data. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The issue was patched in @react-router/node 7.9.4, @remix-run/deno 2.17.2, and @remix-run/node 2.17.2. The CVSS v3.1 score is 9.1 (critical), reflecting high impact on integrity and availability with low attack complexity and no privileges required.

For European organizations, this vulnerability poses a significant risk to web applications built using the affected versions of React Router and Remix Run frameworks. Exploitation could allow attackers to corrupt session data or cause denial of service by manipulating session storage files, potentially disrupting user sessions and application availability. Although direct data exfiltration is limited, session poisoning could lead to unauthorized actions or privilege escalation depending on application logic. Organizations in sectors with high reliance on web applications—such as finance, e-commerce, healthcare, and government—may face operational disruptions and reputational damage. The vulnerability's ease of exploitation and lack of required authentication increase the risk of widespread attacks, especially against public-facing applications. Additionally, if the web server process has elevated file system permissions, the impact could extend to unauthorized file modifications beyond session files, increasing the attack surface. Given the popularity of React and Remix in European software development, many organizations could be affected if patches are not applied promptly.

European organizations should immediately upgrade to the patched versions: @react-router/node 7.9.4 or later, @remix-run/deno 2.17.2 or later, and @remix-run/node 2.17.2 or later. Beyond upgrading, developers should audit session management code to ensure that file paths are properly sanitized and restricted to intended directories. Implement strict file system permissions for the web server process to minimize access to sensitive files outside session storage directories. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block path traversal patterns in session cookie values or related inputs. Conduct thorough testing of session handling logic to verify that corrupted or malicious session data cannot escalate privileges or cause application errors. Monitor application logs for unusual session file access patterns or errors indicative of attempted exploitation. Finally, integrate secure coding practices and static code analysis tools to detect similar path traversal issues in future development.