CVE-2025-31137

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-31137

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-31137.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-31137

Aliases

GHSA-4q56-crqp-v477

Published

2025-04-01T18:20:32.660Z

Modified

2026-04-10T05:25:42.994382Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

Details

React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.

Database specific

{
    "cwe_ids": [
        "CWE-444"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/31xxx/CVE-2025-31137.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/remix-run/react-router

Affected ranges

Type

GIT

Repo

https://github.com/remix-run/react-router

Events

Introduced

e8e3b004d94a949372e77ce97a543bff5bc6fb89

Fixed

7350eef4e937e910308bcedd8254a4bba53058a6

Database specific

{
    "versions": [
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.4.1"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-31137.json"