CVE-2025-31137

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-31137
React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/remix-run/react-router/security/advisories/GHSA-4q56-crqp-v477
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) React Router es un enrutador multiestrategia para React que conecta React 18 con React 19. Existe una vulnerabilidad en Remix/React Router que afecta a todos los consumidores de Remix 2 y React Router 7 que usan el adaptador Express. Esta vulnerabilidad permite falsificar la URL utilizada en una solicitud entrante al incluir una ruta de URL en la sección de puerto de una URL que forma parte de un encabezado Host o X-Forwarded-Host enviado a un controlador de solicitudes de Remix/React Router. Este problema se ha corregido y publicado en Remix 2.16.3 y React Router 7.4.1.

01 Apr 2025, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-01 19:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-31137

Mitre link : CVE-2025-31137

CVE.ORG link : CVE-2025-31137

JSON object : View

Products Affected

No product.

CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')