A newly discovered vulnerability, CVE-2025-31137, has been identified in React Router, a popular library used for managing routing in React applications. Security researcher Rachid Allam and Yasser Allamβs report details how this flaw can allow attackers to manipulate URLs via the Host and X-Forwarded-Host headers, potentially leading to various exploits.
React Router is a widely used library, with one report stating it has over 13.2 million weekly downloads. The vulnerability specifically affects users of Remix 2 and React Router 7 who utilize the Express adapter. The report emphasizes the potential severity, stating, βThis could potentially lead to several exploits.β
The core issue lies in how React Routerβs Express adapter handles the Host and X-Forwarded-Host headers. According to the report, βIt is possible to call any path directly from the host or x-forwarded-host header due to the lack of port sanitization.β
While both headers can be exploited, the researcher notes a preference for X-Forwarded-Host, explaining, βAlthough it is possible to take advantage of both headers, we will focus on x-forwarded-host because manipulating the Host value will result in an error with most reverse proxies/CDNs even if itβs perfectly valid/possible locally.β In cases where both headers are present, the X-Forwarded-Host header takes precedence.
The vulnerability opens the door to several attack vectors, including:
Cache Poisoning Denial of Service (CPDoS): The ability to manipulate URLs and response codes can be exploited to poison caches, disrupting application availability.WAF Bypass: By strategically splitting payloads across the URL and headers, attackers might bypass Web Application Firewalls (WAFs) to conduct attacks like SQL injection.Escalated XSS: Reflected XSS attacks could be escalated to Stored XSS if a caching system is in place.The report indicates that the vulnerability has been addressed in recent releases. This issue has been patched and released in Remix 2.16.3 / React Router 7.4.1. Users of affected versions are strongly advised to update to the patched versions to mitigate the risk.