# Protection against React Router vulnerability CVE\-2025\-31137

**Published:** April 17, 2025 | **Authors:** Casey Gowrie

---

Security researchers reviewing the Remix web framework have [recently discovered](https://zhero-web-sec.github.io/research-and-things/react-router-and-the-remixed-path) a high-severity vulnerability in React Router that allows URL manipulation through the `Host`/ `X-Forwarded-Host` header.

Our investigation determined that Vercel and our customers are unaffected:

- We use query parameters as part of the cache key, which protects against cache poisoning driven by the `_data` query praram.
- The `@vercel/remix` adapter uses `X-Forwarded-Host` similarly to the Express adapter, but it is not possible for an end user to send `X-Forwarded-Host` to a Function hosted on Vercel.

A patch has been issued and released in Remix 2.16.3 / React Router 7.4.1. We recommend customers update to the latest version.

Read more about [CVE-2025-31137](https://nvd.nist.gov/vuln/detail/CVE-2025-31137).

---

📚 **More updates:** [View all changelog entries](/changelog/sitemap.md) | [Blog](/blog/sitemap.md)