🛡️ CVE-2025-31137
🟠 CVSS 8.0 — High ✅ No Known Exploit CWE-444 NVD
8.0
CVSS Score
0 Low4 Medium7 High9 Critical10

Description

React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.

Details

Severity HIGH
CVSS Score 8.0
CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE CWE-444
Public Exploit ✅ No
Source NVD
Published 2025-04-01
Updated 2026-06-02
Modified 2025-04-01
Fix URL N/A

Affected Packages

Software From version Fixed in
@react-router/express
@remix-run/express
unknown

Site Security Check

Concerned your site may already be targeted?

BotEraser analyzes incoming traffic patterns and helps identify bot behavior consistent with known exploit attempts.

Check My Site Free →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.