7.5

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-31137

CVE-2025-31137: Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

Impact

We received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler.

Patches

This issue has been patched and released in Remix 2.16.3 React Router 7.4.1.

Credits

Rachid Allam (zhero;)
Yasser Allam (inzo_)

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-31137

CVE-2025-31137:

7.5

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@react-router/express	npm	>= 7.0.0, < 7.4.1	7.4.1
@remix-run/express	npm	>= 2.11.1, < 2.16.3	2.16.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on improper handling of Host/X-Forwarded-Host headers when constructing request URLs in Express adapters. The primary vulnerable functions are the request handlers that process incoming requests and derive URL components from headers. createRequestHandler is the entry point for both affected packages, making it the most likely location for header processing flaws. getServerAddress is included as a secondary candidate based on typical Express adapter patterns for URL construction. The high confidence stems from the explicit advisory references to Express adapter handling and the CVSS vector indicating network-based exploitation of request processing logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-31137: Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

Impact

Patches

Credits

CVE-2025-31137:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

7.5

7.5

CVE-2025-31137: Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

Impact

Patches

Credits

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI