Security researchers reviewing the Remix web framework have a high-severity vulnerability in React Router that allows URL manipulation through the / header. recently discoveredHostX-Forwarded-Host Our investigation determined that Vercel and our customers are unaffected: A patch has been issued and released in Remix 2.16.3 / React Router 7.4.1. We recommend customers update to the latest version.

Read more about .CVE-2025-31137 Read more We use query parameters as part of the cache key, which protects against cache poisoning driven by the query praram._data The adapter uses similarly to the Express adapter, but it is not possible for an end user to send to a Function hosted on Vercel. @vercel/remixX-Forwarded-HostX-Forwarded-Host