logo

Database

HTTP request smuggling In @remix-run/express

Description

Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

Impact

We received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler.

Patches

This issue has been patched and released in Remix 2.16.3 React Router 7.4.1.

Credits

    Rachid Allam (zhero;)

    Yasser Allam (inzo_)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-311372. NVD-2025-311373. OSV-2025-311374. GHSA-4q56-crqp-v4775. GCVE-2025-31137

References

1. https://github.com/remix-run/react-router/security/advisories/GHSA-4q56-crqp-v4772. https://github.com/pouriam23/vulnerability-in-Remix-React-Router-CVE-2025-31137-

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.