High severity7.5NVD Advisory· Published Apr 1, 2025· Updated Apr 15, 2026

CVE-2025-31137

Description

React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@react-router/expressnpm	>= 7.0.0, < 7.4.1	7.4.1
@remix-run/expressnpm	>= 2.11.1, < 2.16.3	2.16.3

Patches

7350eef4e937

https://github.com/remix-run/react-routervia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4q56-crqp-v477ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-31137ghsaADVISORY
github.com/remix-run/react-router/security/advisories/GHSA-4q56-crqp-v477nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000