Security Update: React Router and Remix Vulnerabilities

We are aware of recently disclosed vulnerabilities affecting React Router and Remix:

1. CVE 2025-31137 (React Router 7 and Remix): Spoof request path allowing certain access control bypasses
2. CVE-2025-43864 (React Router 7 only): Cache poisoning leading to unusable responses
3. CVE-2025-43865 (React Router 7 only): Cache poisoning with arbitrary data

Impact on Netlify sites:

• CVE 2025-31137: Sites on Netlify are not vulnerable, because the Netlify CDN cache varies on the query string by default, and Remix and React Router sites on Netlify do not use the impacted Express package.
• CVE-2025-43864: Sites on Netlify using React Router 7.2.0 to 7.5.1 are vulnerable. However, exploitation requires all of the following conditions for a given URL to be poisonable:
  • The site must not be using React Router’s SPA mode.
  • The page or loader must be explicitly setting caching headers.
  • A malicious request would need to be the first request to reach the cache (such as immediately after a deploy or cache invalidation).
• CVE-2025-43865: Sites on Netlify using React Router 7.0.0 to 7.5.1 are vulnerable. However, exploitation requires all of the following conditions for a given URL to be poisonable:
  • The page or loader must be explicitly setting caching headers.
  • A malicious request would need to be the first request to reach the cache (such as immediately after a deploy or cache invalidation).

We strongly recommend upgrading to the latest versions of React Router (7.5.2). Given these specific requirements, the number of vulnerable Netlify sites is low. However, out of an abundance of caution, our engineering team is actively rolling out a mitigation to further protect against these vulnerabilities. We will continue to monitor the situation and will provide updates as our work progresses.

Continue reading...