Primary

Context

React Router and Remix URL Spoofing Vulnerability in Express Adapter

Vulnerability

A vulnerability exists in React Router versions 7.0.0 through 7.4.0 and in Remix versions 2.11.1 through 2.16.2, specifically when using the Express adapter. This vulnerability allows for URL spoofing in incoming requests by manipulating the port section of a URL within the Host or X-Forwarded-Host headers. The spoofed URL can then be used to deceive the request handler about the actual request origin.

Impact

Exploitation of this vulnerability could lead to incorrect handling of requests based on the spoofed URL, potentially allowing for unauthorized actions or access within the application.

Remediation

Users can upgrade to React Router version 7.4.1 or Remix version 2.16.3 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

React Router and Remix URL Spoofing Vulnerability in Express Adapter

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating