URL Spoofing Vulnerability in React Router and Remix by Remix Run
CVE-2025-31137

7.5HIGH

Key Information:

Vendor
Remix-run
Status
React-router
Vendor
CVE Published:
1 April 2025

Badges

πŸ”₯ Trending nowπŸ“ˆ TrendedπŸ“ˆ Score: 2,400πŸ‘Ύ Exploit ExistsπŸ“° News Worthy

What is CVE-2025-31137?

CVE-2025-31137 is a URL spoofing vulnerability affecting the React Router and Remix frameworks developed by Remix Run. These frameworks are widely utilized for building single-page applications with React. The vulnerability arises from the ability for malicious actors to manipulate URL paths through the inclusion of inappropriate characters in HTTP request headers. This can compromise the integrity of the application's routing mechanism, leading to potential security risks for organizations that rely on these technologies to manage user navigation and internal logic.

Technical Details

This vulnerability specifically affects users of Remix 2 and React Router 7 who employ the Express adapter. By crafting specific Host or X-Forwarded-Host headers, attackers can exploit the vulnerability by injecting a URL pathname into the port section of the URL. This misdirection can result in applications being tricked into processing potentially harmful requests under false pretenses. The issue has been officially patched in Remix version 2.16.3 and React Router version 7.4.1, which emphasizes the importance of keeping these frameworks updated to deter exploitation.

Potential impact of CVE-2025-31137

  1. Security Breaches: The ability to spoof URLs can facilitate attacks that compromise user authentication and session management, leading to unauthorized access to sensitive data or functionality within the application.

  2. Phishing and Misleading Content: Attackers can manipulate URLs to direct users to fraudulent sites or deliver misleading content, resulting in increased risks of phishing attacks targeting both end-users and organizational resources.

  3. Reputation Damage: Organizations impacted by successful exploitation of this vulnerability could face significant reputation harm, as users and clients may lose trust in their ability to secure applications, leading to potential loss of business and customer loyalty.

Affected Version(s)

react-router >= 7.0.0, < 7.4.1 < 7.0.0, 7.4.1

react-router >= 2.11.1, < 2.16.3 < 2.11.1, 2.16.3

News Articles

favicon imageCybersecurityNews

React Router Flaw Exposes Web Apps to Cache Poisoning & WAF Bypass Attacks

A critical security vulnerability, CVE-2025-31137, has been identified in React Router, a popular library used by millions of developers.

11 hours ago

favicon imageVulert

CVE-2025-31137: URL Manipulation Vulnerability in @react-router/express and @remix-run/express

Learn about CVE-2025-31137, a URL manipulation vulnerability in @react-router/express and @remix-run/express. Discover how to fix it and protect your application.

2 days ago

favicon imageNational Institute of Standards and Technology (.gov)

NVD - CVE-2025-31137

Description React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2...

2 days ago

References

https://github.com/remix-run/react-router/security/adviso...
x_refsource_CONFIRM

CVSS V3.0

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by National Institute of Standards and Technology (.gov)

  • Vulnerability published

.