CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-31137: Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

7.5 CVSS

Description

React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.

Classification

CVE ID: CVE-2025-31137

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem Types

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected Products

Vendor: remix-run

Product: react-router

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 17.87% (scored less or equal to compared to others)

EPSS Date: 2025-04-30 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-31137
https://github.com/remix-run/react-router/security/advisories/GHSA-4q56-crqp-v477

Timeline

2025-04-01 19:40:21 UTC
CVE

Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers
2025-04-01 23:15:29 UTC
Github Advisory Database (NPM)

[@remix-run/express] Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers
2025-04-01 23:15:29 UTC
Github Advisory Database (NPM)

[@react-router/express] Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers