We are aware of recently disclosed vulnerabilities affecting React Router and Remix: CVE 2025-31137 (React Router 7 and Remix): Spoof request path allowing certain access control bypasses CVE-2025-43864 (React Router 7 only): Cache poisoning leading to unusable responses CVE-2025-43865 (React Router 7 only): Cache poisoning with arbitrary data Impact on Netlify sites: CVE 2025-31137: Sites on Netlify are not vulnerable, because the Netlify CDN cache varies on the query string by default, and ...
