Bug 2356710 (CVE-2025-31137)

Summary: CVE-2025-31137 react-router: Remix Host Header Spoofing Vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, abrianik, adkhan, adudiak, alcohan, anjoseph, aschwart, asoldano, bbaranow, bdettelb, bmaxwell, boliveir, brian.stansberry, caswilli, cdewolf, cmah, cmiranda, crizzo, darran.lofthouse, dbosanac, dhanak, dkreling, doconnor, dosoudil, dranck, drosa, dsimansk, dymurray, eaguilar, ebaron, eric.wittmann, fdeutsch, fjuma, ggrzybek, gmalinko, gparvin, gryan, gzaronik, haoli, hkataria, ibek, ibolton, istudens, ivassile, iweiss, jajackso, janstey, jcammara, jcantril, jchui, jhe, jhuff, jkoehler, jmatthew, jmitchel, jmontleo, jneedle, jolong, jprabhak, jreimann, jrokos, jwendell, kaycoth, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lgao, lphiri, mabashia, manissin, matzew, mdessi, mnovotny, mosmerov, mposolda, mrizzi, msochure, msvehla, nboldt, nipatil, njean, nwallace, omaciel, oramraz, owatkins, pahickey, pantinor, parichar, pbizzarr, pbraun, pcattana, pcongius, pdelbell, periklis, pesilva, pgaikwad, pjindal, pmackay, psrna, rcernich, rhaigner, rjohnson, rkubis, rojacob, rstancel, rstepani, sausingh, sdawley, sdoran, shvarugh, simaishi, slucidi, smaestri, smcdonal, smullick, sseago, ssilvert, stcannon, sthorger, stirabos, tasato, teagle, tfister, thason, thavo, tom.jenkinson, vmuzikar, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in react-router due to improper handling of user-controlled data within the Express adapter. This flaw allows a remote attacker to trigger a server-side request forgery (SSRF) condition. This SSRF can be exploited by sending crafted HTTP requests to arbitrary internal or external resources. Successful exploitation results in a high impact denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-04-01 19:01:40 UTC 
React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.