Security researchers reviewing the Remix web framework have recently discovered a high-severity vulnerability in React Router that allows URL manipulation through the Host/ X-Forwarded-Host header.

Our investigation determined that Vercel and our customers are unaffected:

• We use query parameters as part of the cache key, which protects against cache poisoning driven by the _data query praram.

• The @vercel/remix adapter uses X-Forwarded-Host similarly to the Express adapter, but it is not possible for an end user to send X-Forwarded-Host to a Function hosted on Vercel.

A patch has been issued and released in Remix 2.16.3 / React Router 7.4.1. We recommend customers update to the latest version.

Read more about CVE-2025-31137.