CVE-2025-31137
Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers
Description
### Impact We received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming `Request` by putting a URL pathname in the port section of a URL that is part of a `Host` or `X-Forwarded-Host` header sent to a Remix/React Router request handler. ### Patches This issue has been patched and released in Remix 2.16.3 React Router 7.4.1. ### Credits - Rachid Allam (zhero;) - Yasser Allam (inzo_)
How to fix CVE-2025-31137
To remediate CVE-2025-31137, upgrade the affected package to a fixed version below.
- —upgrade to 7.4.1 or later
- —upgrade to 2.16.3 or later
Is CVE-2025-31137 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 7.0.0, < 7.4.1
- >= 2.11.1, < 2.16.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |