{ "schema_version": "1.4.0", "id": "GHSA-4q56-crqp-v477", "modified": "2025-04-01T22:23:33Z", "published": "2025-04-01T22:23:33Z", "aliases": [ "CVE-2025-31137" ], "summary": "Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers", "details": "### Impact\n\nWe received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming `Request` by putting a URL pathname in the port section of a URL that is part of a `Host` or `X-Forwarded-Host` header sent to a Remix/React Router request handler.\n\n### Patches\n\nThis issue has been patched and released in Remix 2.16.3 React Router 7.4.1.\n\n### Credits\n\n- Rachid Allam (zhero;)\n- Yasser Allam (inzo_)", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "@react-router/express" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.4.1" } ] } ] }, { "package": { "ecosystem": "npm", "name": "@remix-run/express" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.11.1" }, { "fixed": "2.16.3" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/remix-run/react-router/security/advisories/GHSA-4q56-crqp-v477" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31137" }, { "type": "PACKAGE", "url": "https://github.com/remix-run/react-router" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-04-01T22:23:33Z", "nvd_published_at": "2025-04-01T19:15:45Z" } }