Cyber Resilience

CVE-2025-61686

CriticalUpdated

Published: 10 January 2026

Published
10 January 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.1480 96.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-61686 is a critical-severity Path Traversal (CWE-22) vulnerability in Shopify React-Router\/Node. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-61686 is a path traversal vulnerability (CWE-22) affecting React Router and related packages. It impacts @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2. The issue arises when createFileSessionStorage() is used with an unsigned cookie, allowing session operations to target locations outside the specified session file directory. The CVSS v3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), highlighting high integrity and availability impacts with no direct confidentiality loss.

An unauthenticated network attacker can exploit this by crafting a malicious unsigned cookie to trigger session read or write operations on arbitrary files outside the intended directory. Exploitation success depends on the web server process's file system permissions. While read files cannot be directly returned to the attacker, a successful read occurs only if the file matches the expected session file format, populating the data into the server-side session. This session data is not directly exposed unless application logic returns specific session information. Write operations could similarly overwrite files outside the directory if permissions allow.

The GitHub security advisory at https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw details the patch, which addresses the issue in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2. Security practitioners should upgrade to these versions and review applications using file-based session storage with unsigned cookies for exposure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie,…

more

it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Path traversal in public-facing web session storage directly enables remote exploitation (T1190) with arbitrary local file reads (T1005) and overwrites (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33656Shared CWE-22
CVE-2026-33344Shared CWE-22
CVE-2026-26187Shared CWE-22
CVE-2025-59057Same vendor: Shopify
CVE-2026-21884Same vendor: Shopify
CVE-2026-22029Same vendor: Shopify
CVE-2025-66687Shared CWE-22
CVE-2025-26753Shared CWE-22
CVE-2025-44177Shared CWE-22
CVE-2023-42226Shared CWE-22

Affected Assets

shopify
react-router\/node
7.0.0 — 7.9.4
shopify
remix-run\/deno
≤ 2.17.2
shopify
remix-run\/node
≤ 2.17.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of software flaws, directly addressing this path traversal vulnerability through patching to the fixed versions.

prevent

SI-10 enforces validation of information inputs like the unsigned cookie used to derive session file paths, preventing path traversal outside the intended directory.

prevent

AC-6 applies least privilege to the web server process, restricting file system access to only the session directory and blocking exploitation even if traversal is attempted.

References