CVE-2025-31137— react-router 环境问题漏洞

Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.

N/A

HTTP请求的解释不一致性(HTTP请求私运)

react-router 环境问题漏洞

react-router是Remix开源的一个 React 的声明式路由。 react-router 7.0.0版本至7.4.0版本存在环境问题漏洞，该漏洞源于Remix或React Router的Express适配器允许通过URL路径名伪造请求URL。

N/A

N/A