Security researchers reviewing the Remix web framework have recently discovered a high-severity vulnerability in React Router that allows URL manipulation through the Host/ X-Forwarded-Host header.
Our investigation determined that Vercel and our customers are unaffected:
We use query parameters as part of the cache key, which protects against cache poisoning driven by the
_dataquery praram.The
@vercel/remixadapter usesX-Forwarded-Hostsimilarly to the Express adapter, but it is not possible for an end user to sendX-Forwarded-Hostto a Function hosted on Vercel.
A patch has been issued and released in Remix 2.16.3 / React Router 7.4.1. We recommend customers update to the latest version.
Read more about CVE-2025-31137.