React Router and Remix Session File Access Vulnerability via Unsigned Cookies
Vulnerability
A vulnerability exists in React Router's Node package, as well as in Remix's Deno and Node packages, all prior to specific patched versions. When using the 'createFileSessionStorage()' function with unsigned cookies, an attacker could manipulate the session to read from or write to locations outside the designated session file directory. Exploitation success would depend on the web server's file access permissions. While read files cannot be directly returned to the attacker, if a file aligns with the expected session format, its data could be integrated into the server-side session, potentially accessible through the application's session handling logic.
Impact
Exploitation could lead to unauthorized access to files, depending on the web server's permissions, and could allow for manipulation of session data on the server side.
Remediation
Users can upgrade to '@react-router/node' version 7.9.4 or later, and '@remix-run/deno' and '@remix-run/node' versions 2.17.2 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.