Initiatives pour
En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
Warning: High severity vulnerabilities in React Router, Patch Immediately!
Image
Publié : 12/01/2026
- Last update: 12/01/2026
- Affected software: React Router
- Type:
→ CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
→ CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
→ CWE-346: Origin Validation Error
→ CWE-352: Cross-Site Request Forgery (CSRF)
→ CWE-601: URL Redirection to Untrusted Site ('Open Redirect')- CVE/CVSS
→ CVE-2025-61686: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
→ CVE-2026-22029: CVSS 8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)
→ CVE-2025-59057: CVSS 7.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N)
→ CVE-2026-22030: CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
→ CVE-2025-68470: CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Sources
CVE-2025-61686 - https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw
CVE-2026-22029 - https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
CVE-2025-59057 - https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8
CVE-2026-22030 - https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh
CVE-2025-68470 - https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m
Risks
Multiple high-severity vulnerabilities affecting React Router were disclosed on January 8, the standard routing library for React applications. These vulnerabilities include Path Traversal, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Open Redirect flaws. Successful exploitation could allow remote attackers to access sensitive session files, execute arbitrary code via client-side scripts, or hijack user sessions. This has a high impact on Confidentiality, Integrity and Availability of the React application.
Description
CVE-2025-61686, CVSS: 9.1
A path traversal vulnerability exists in the createFileSessionStorage() function when configured with unsigned cookies. Attackers can manipulate the session cookie to read or write files outside the intended session directory. Successful exploitation could lead to unauthorized access to file system data.
This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.
CVE-2026-22029, CVSS: 8
A vulnerability exists within SPA open navigation. When operating in Framework Mode, Data Mode, or unstable RSC modes, redirects originating from loaders or actions that utilize untrusted content can result in the generation of unsafe URLs. This allows for unintended JavaScript execution on the client. If an attacker can control the redirect path, they can execute arbitrary JavaScript in the user's session (XSS).
This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
CVE-2025-59057, CVSS 7.6
A Cross-Site Scripting (XSS) vulnerability exists within the meta() and <Meta> APIs when operating in Framework Mode. If untrusted content is used to generate script:ld+json tags, it can allow arbitrary JavaScript execution during Server-Side Rendering (SSR).
This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.
CVE-2026-22030, CVSS 6.5
A Cross-Site Request Forgery (CSRF) vulnerability exists, where attackers can exploit document POST requests to UI routes when the application uses server-side route action handlers in Framework Mode, or React Server Actions in the unstable RSC modes.
This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.
CVE-2025-68470, CVSS 6.5
An attacker-supplied path crafted for Maps(), <Link>, or redirect() can force the app to navigate to an external URL.
This issue has been patched in versions 6.30.2 and 7.9.6.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
CVE-2025-61686 - https://nvd.nist.gov/vuln/detail/CVE-2025-61686
CVE-2026-22029 - https://nvd.nist.gov/vuln/detail/CVE-2026-22029
CVE-2026-22030 - https://nvd.nist.gov/vuln/detail/CVE-2026-22030
CVE-2025-59057 - https://nvd.nist.gov/vuln/detail/CVE-2025-59057
CVE-2025-68470 - https://nvd.nist.gov/vuln/detail/CVE-2025-68470