A critical path traversal vulnerability exists in certain versions of React Router and Remix libraries, affecting applications that use file-based session storage with unsigned cookies. An attacker can manipulate session cookies to force the application to read from or write to arbitrary files on the server, constrained only by the web server's file system permissions. Successful exploitation could lead to sensitive information disclosure or data corruption, posing a significant risk to affected systems.

This vulnerability is a path traversal flaw that occurs when the createFileSessionStorage() function is used with an unsigned session cookie. An attacker can craft a malicious cookie containing path traversal sequences (e.g., ../). When the server processes this cookie to manage the session, it incorrectly concatenates the malicious input into a file path, causing it to attempt file operations outside of the intended session storage directory.

This vulnerability is rated as critical severity with a CVSS score of 9.1, indicating a high potential for significant business impact. Exploitation could lead to the unauthorized disclosure of sensitive information if an attacker successfully reads configuration files, source code, or other data that can be parsed as a session file. Furthermore, the ability to write to arbitrary locations could result in the corruption of critical application data or system files, leading to service disruption or application instability. These outcomes present direct risks of a data breach, reputational damage, and financial loss associated with service downtime and recovery efforts.

Immediate Action: Immediately update all affected components to the patched versions or later, as recommended by the vendor:

• Update @react-router/node to version 7.9.4
• Update @remix-run/deno to version 2.17.2
• Update @remix-run/node to version 2.17.2

Following the update, monitor application and server logs for any signs of exploitation attempts that may have occurred prior to patching.

Proactive Monitoring:

• Log Analysis: Scrutinize web server and application logs for requests containing path traversal sequences (../, ..\\) within cookie values. Monitor for unusual file I/O errors or unexpected file access patterns originating from the application process.
• File Integrity Monitoring (FIM): Implement FIM on critical application and system directories to detect unauthorized file modifications, creations, or deletions on the web server.
• Behavioral Analysis: Monitor for abnormal application behavior, such as unexpected session data appearing for users, which could indicate that a malicious file read has populated a session.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Enforce Signed Cookies: The vulnerability is only exploitable with unsigned cookies. Configure the application to enforce cryptographic signing for all session cookies, which prevents attackers from tampering with their content.
• Principle of Least Privilege: Harden the web server by ensuring the user account running the application has the most restrictive file system permissions possible. It should only have write access to the specific directories it requires for normal operation.
• Web Application Firewall (WAF): Deploy and configure a WAF to inspect and block incoming requests with cookie values containing common path traversal patterns.

Public Exploit Available: false

Given the critical severity of this vulnerability, immediate action is required. We strongly recommend that all organizations using the affected React Router or Remix libraries apply the vendor-supplied security patches without delay. Even though this CVE is not currently listed on the CISA KEV catalog, its high impact score makes it a prime target for future exploitation. Organizations should also conduct an internal review to identify all instances where createFileSessionStorage() is used and ensure that signed cookies are being enforced as a security best practice.