Cyber Posture

CVE-2025-61686

Critical

Published: 10 January 2026

Published
10 January 2026
Modified
04 February 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0003 7.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61686 is a critical-severity Path Traversal (CWE-22) vulnerability in Shopify React-Router\/Node. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, reporting, and correction of software flaws, directly addressing this path traversal vulnerability through patching to the fixed versions.

SI-10 Information Input Validation good match
prevent

SI-10 enforces validation of information inputs like the unsigned cookie used to derive session file paths, preventing path traversal outside the intended directory.

AC-6 Least Privilege good match
prevent

AC-6 applies least privilege to the web server process, restricting file system access to only the session directory and blocking exploitation even if traversal is attempted.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Path traversal in public-facing web session storage directly enables remote exploitation (T1190) with arbitrary local file reads (T1005) and overwrites (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie,…

more

it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.

Deeper analysisAI

CVE-2025-61686 is a path traversal vulnerability (CWE-22) affecting React Router and related packages. It impacts @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2. The issue arises when createFileSessionStorage() is used with an unsigned cookie, allowing session operations to target locations outside the specified session file directory. The CVSS v3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), highlighting high integrity and availability impacts with no direct confidentiality loss.

An unauthenticated network attacker can exploit this by crafting a malicious unsigned cookie to trigger session read or write operations on arbitrary files outside the intended directory. Exploitation success depends on the web server process's file system permissions. While read files cannot be directly returned to the attacker, a successful read occurs only if the file matches the expected session file format, populating the data into the server-side session. This session data is not directly exposed unless application logic returns specific session information. Write operations could similarly overwrite files outside the directory if permissions allow.

The GitHub security advisory at https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw details the patch, which addresses the issue in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2. Security practitioners should upgrade to these versions and review applications using file-based session storage with unsigned cookies for exposure.

Details

CWE(s)
CWE-22

Affected Products

shopify
react-router\/node
7.0.0 — 7.9.4
shopify
remix-run\/deno
≤ 2.17.2
shopify
remix-run\/node
≤ 2.17.2

CVEs Like This One

CVE-2026-33656Shared CWE-22
CVE-2026-26187Shared CWE-22
CVE-2026-33344Shared CWE-22
CVE-2026-21884Same vendor: Shopify
CVE-2025-59057Same vendor: Shopify
CVE-2026-22029Same vendor: Shopify
CVE-2026-23536Shared CWE-22
CVE-2025-23422Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2025-10559Shared CWE-22

References