Bug 2428423 (CVE-2025-61686)

Summary: CVE-2025-61686 react-router: React Router has Path Traversal in File Session Storage
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: aazores, abarbaro, abokovoy, abrianik, adudiak, alcohan, alizardo, anjoseph, anpicker, anthomas, aschwart, asoldano, bbaranow, bdettelb, bmaxwell, boliveir, bparees, brasmith, brian.stansberry, carlmart, carogers, caswilli, cmah, cochase, darran.lofthouse, dbosanac, dhanak, dhanina, dnakabaa, doconnor, dosoudil, dranck, drosa, dymurray, eaguilar, ebaron, ehelms, erezende, eric.wittmann, fdeutsch, fjuma, frenaud, ftrivino, ggainey, ggrzybek, gmalinko, gparvin, haoli, hasun, hkataria, ibek, ibolton, istudens, ivassile, iweiss, jajackso, janstey, jbalunas, jcammara, jcantril, jchui, jfula, jhe, jkoehler, jmatthew, jmitchel, jmontleo, jneedle, joehler, jolong, jowilson, jprabhak, jreimann, jrokos, juwatts, kaycoth, kegrant, koliveir, kshier, ktsao, kverlaen, lball, lcouzens, lphiri, mabashia, manissin, mdessi, mhulan, mnovotny, mosmerov, mposolda, mrizzi, mskarbek, msvehla, mwringe, nboldt, ngough, nipatil, nmoumoul, nwallace, nyancey, ometelka, oramraz, osousa, owatkins, pahickey, pantinor, parichar, pberan, pbizzarr, pbohmill, pbraun, pcattana, pcreech, pdelbell, pesilva, pgaikwad, pjindal, pmackay, psrna, ptisnovs, rchan, rhaigner, rjohnson, rkubis, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sdoran, shvarugh, simaishi, slucidi, smaestri, smallamp, smcdonal, smullick, sseago, ssilvert, stcannon, sthorger, stirabos, syedriko, tasato, teagle, tfister, thason, thavo, tmalecek, tom.jenkinson, veshanka, vmuzikar, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A security issue was discovered in the react-router/node component of React Router. It is possible for an attacker manipulate an unsigned cookie to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-12 14:50:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2428678    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-10 04:02:22 UTC 
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.
Comment 2 David Hanina 2026-01-12 13:49:38 UTC 
In case of the FreeIPA WebUI this CVE, as well as few other react-router related, do not concern us, as we do not use react-router on the server-side, the CVE is not relevant for client-side only code.