CVE-2025-31137
📋 TL;DR
This vulnerability allows attackers to spoof URLs in incoming requests by manipulating Host or X-Forwarded-Host headers with URL pathnames in the port section. It affects all Remix 2 and React Router 7 applications using the Express adapter, potentially enabling various web-based attacks.
💻 Affected Systems
- Remix
- React Router
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass authentication, redirect users to malicious sites, manipulate application logic, or conduct phishing attacks by spoofing legitimate URLs.
Likely Case
URL spoofing leading to phishing, session hijacking, or bypassing security controls that rely on URL validation.
If Mitigated
Limited impact with proper input validation, header sanitization, and security layers in place.
🎯 Exploit Status
Exploitation requires sending crafted HTTP headers, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Remix 2.16.3, React Router 7.4.1
Vendor Advisory: https://github.com/remix-run/react-router/security/advisories/GHSA-4q56-crqp-v477
Restart Required: Yes
Instructions:
1. Update Remix to version 2.16.3 or later. 2. Update React Router to version 7.4.1 or later. 3. Restart your application server.
🔧 Temporary Workarounds
Input Validation Middleware
allAdd middleware to sanitize Host and X-Forwarded-Host headers, rejecting malformed values.
// Example Express middleware:
app.use((req, res, next) => {
const host = req.headers.host || req.headers['x-forwarded-host'];
if (host && host.includes('/')) {
return res.status(400).send('Invalid host header');
}
next();
});
🧯 If You Can't Patch
- Implement strict input validation for Host and X-Forwarded-Host headers in your application or reverse proxy.
- Use a web application firewall (WAF) to block requests with malformed host headers.
🔍 How to Verify
Check if Vulnerable:
Check your package.json for Remix version < 2.16.3 or React Router version < 7.4.1, and verify Express adapter usage.Check Version:
npm list remix react-routerVerify Fix Applied:
Confirm package.json shows Remix >= 2.16.3 or React Router >= 7.4.1, and test with crafted headers to ensure rejection.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with Host or X-Forwarded-Host headers containing '/' characters or unusual port values.
Network Indicators:
- Unusual HTTP traffic patterns with manipulated host headers.
SIEM Query:
source="web_logs" AND (header.host CONTAINS "/" OR header.x-forwarded-host CONTAINS "/")