A critical security vulnerability, CVE-2025-31137, has been identified in React Router, a popular library used by millions of developers for managing routing in React applications. 

Security researchers from zhero_web_security discovered this flaw, which affects both React Router 7 and Remix 2 frameworks when using the Express adapter. It could potentially expose web applications to cache poisoning and web application firewall (WAF) bypass attacks.

According to a post shared on X, the vulnerability stems from improper sanitization of the Host and X-Forwarded-Host HTTP headers in the Express adapter. 

Precisely, attackers can manipulate URLs by injecting a URL pathname into the port section of these headers. The vulnerable code in the Express adapter processes these headers without proper validation:

When the X-Forwarded-Host header is manipulated, the value after the colon character is treated as a port and directly concatenated with the hostname. 

Since there’s no sanitization, attackers can inject arbitrary path components that alter the application’s routing behavior.

The summary of the vulnerability is given below:

Risk FactorsDetailsAffected ProductsReact Router v7.0.0–7.4.0, Remix v2.11.1–2.16.2 (when using Express adapter)ImpactCache Poisoning (CPDoS), WAF Bypass, Path Traversal, XSS/SQLi escalationExploit Prerequisites– Use of Express adapter- Ability to manipulate Host or X-Forwarded-Host headersCVSS 3.1 Score7.5 (High)

Attack Vectors

Security researchers have identified multiple attack vectors leveraging this vulnerability:

Cache Poisoning Denial of Service (CPDoS): Attackers can force caching systems to store incorrect responses by manipulating the URL path through the headers. 

This can render applications completely unusable if the poisoned responses are distributed through content delivery networks.

Web Application Firewall Bypass: The vulnerability allows attackers to split malicious payloads between the header and URL, potentially circumventing WAFs that separately analyze these components. 

This technique can enable various attacks, including SQL injection and cross-site scripting (XSS).

Path Traversal: Attackers can access paths that routing-level security mechanisms might protect by manipulating the effective URL used for routing decisions.

For example, an attacker could send a request with this manipulated header:

Affected Versions and Patches

The vulnerability affects:

@react-router/express versions 7.0.0 through 7.4.0.

@remix-run/express versions 2.11.1 and above.

The issue has been patched in React Router 7.4.1 and Remix 2.16.3, released on March 28, 2025.

With over 13.2 million weekly downloads, the widespread use of React Router makes this vulnerability particularly concerning. The CVSS score for this vulnerability is 7.5 (High), indicating its significant potential impact.

“This vulnerability can be exploited in several ways, either directly or indirectly if chained with other exploits,” noted the researchers. 

“All of these sites were very popular and widely used globally, and the CPDoS aspect alone could render them completely unusable.”

Organizations using React Router or Remix frameworks should:

Immediately update to React Router 7.4.1 or Remix 2.16.3.

Implement header validation as a temporary workaround if updates aren’t immediately possible.

Review application logs for potential exploitation attempts.

Consider implementing additional security layers beyond WAFs for critical applications.

As web applications increasingly rely on complex front-end frameworks, this vulnerability underscores the importance of thorough security reviews and prompt dependency patching in the development lifecycle.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try 50 Request for Free