Path Traversal in React Router: The Cookie That Ate Your Filesystem
Jan 15, 2026·5 min read·6 visits
Executive Summary (TL;DR)
If you are using `@react-router/node` or `@remix-run/node` with file-based session storage and have not configured signed cookies (secrets), your application trusts the client-provided session ID implicitly. Attackers can craft malicious cookie values containing directory traversal sequences (`../../`) to escape the session directory. This grants them the ability to delete files (DoS) or overwrite them with JSON data, leading to potential data corruption or application compromise.
A critical path traversal vulnerability in React Router and Remix's file-based session storage allows remote attackers to delete or overwrite arbitrary files on the server by manipulating unsigned session cookies.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
@react-router/node Remix/React Router | 7.0.0 - 7.9.3 | 7.9.4 |
@remix-run/node Remix | < 2.17.2 | 2.17.2 |
@remix-run/deno Remix | < 2.17.2 | 2.17.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-22 (Path Traversal) |
| CVSS v3.1 | 9.1 (Critical) |
| Attack Vector | Network (Cookies) |
| Impact | Integrity (H), Availability (H) |
| Exploit Status | PoC Available |
| EPSS Score | 0.00061 |
MITRE ATT&CK Mapping
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.