@react-router/express 7.4.0 → 7.4.1

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 # `@react-router/express`
 
+## 7.4.1
+
+### Patch Changes
+
+- Better validation of `x-forwarded-host` header to preent potential security issues. ([#13309](https://github.com/remix-run/react-router/pull/13309))
+- Updated dependencies:
+  - `react-router@7.4.1`
+  - `@react-router/node@7.4.1`
+
 ## 7.4.0
 
 ### Patch Changes
@@ -93,7 +102,7 @@
 
 ### Major Changes
 
-- Remove single\_fetch future flag. ([#11522](https://github.com/remix-run/react-router/pull/11522))
+- Remove single fetch future flag. ([#11522](https://github.com/remix-run/react-router/pull/11522))
 - update minimum node version to 18 ([#11690](https://github.com/remix-run/react-router/pull/11690))
 - Add `exports` field to all packages ([#11675](https://github.com/remix-run/react-router/pull/11675))
 - node package no longer re-exports from react-router ([#11702](https://github.com/remix-run/react-router/pull/11702))

package/dist/index.js

@@ -1,5 +1,5 @@
 /**
- * @react-router/express v7.4.0
+ * @react-router/express v7.4.1
  *
  * Copyright (c) Remix Software Inc.
  *
@@ -70,9 +70,11 @@ function createRemixHeaders(requestHeaders) {
   return headers;
 }
 function createRemixRequest(req, res) {
-  let [, hostnamePort] = req.get("X-Forwarded-Host")?.split(":") ?? [];
-  let [, hostPort] = req.get("host")?.split(":") ?? [];
-  let port = hostnamePort || hostPort;
+  let [, hostnamePortStr] = req.get("X-Forwarded-Host")?.split(":") ?? [];
+  let [, hostPortStr] = req.get("host")?.split(":") ?? [];
+  let hostnamePort = Number.parseInt(hostnamePortStr, 10);
+  let hostPort = Number.parseInt(hostPortStr, 10);
+  let port = Number.isSafeInteger(hostnamePort) ? hostnamePort : Number.isSafeInteger(hostPort) ? hostPort : "";
   let resolvedHost = `${req.hostname}${port ? `:${port}` : ""}`;
   let url = new URL(`${req.protocol}://${resolvedHost}${req.originalUrl}`);
   let controller = new AbortController();

package/dist/index.mjs

@@ -1,5 +1,5 @@
 /**
- * @react-router/express v7.4.0
+ * @react-router/express v7.4.1
  *
  * Copyright (c) Remix Software Inc.
  *
@@ -48,9 +48,11 @@ function createRemixHeaders(requestHeaders) {
   return headers;
 }
 function createRemixRequest(req, res) {
-  let [, hostnamePort] = req.get("X-Forwarded-Host")?.split(":") ?? [];
-  let [, hostPort] = req.get("host")?.split(":") ?? [];
-  let port = hostnamePort || hostPort;
+  let [, hostnamePortStr] = req.get("X-Forwarded-Host")?.split(":") ?? [];
+  let [, hostPortStr] = req.get("host")?.split(":") ?? [];
+  let hostnamePort = Number.parseInt(hostnamePortStr, 10);
+  let hostPort = Number.parseInt(hostPortStr, 10);
+  let port = Number.isSafeInteger(hostnamePort) ? hostnamePort : Number.isSafeInteger(hostPort) ? hostPort : "";
   let resolvedHost = `${req.hostname}${port ? `:${port}` : ""}`;
   let url = new URL(`${req.protocol}://${resolvedHost}${req.originalUrl}`);
   let controller = new AbortController();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@react-router/express",
-  "version": "7.4.0",
+  "version": "7.4.1",
   "description": "Express server request handler for React Router",
   "bugs": {
     "url": "https://github.com/remix-run/react-router/issues"
@@ -45,7 +45,7 @@
     }
   },
   "dependencies": {
-    "@react-router/node": "7.4.0"
+    "@react-router/node": "7.4.1"
   },
   "devDependencies": {
     "@types/express": "^4.17.9",
@@ -61,7 +61,7 @@
   "peerDependencies": {
     "express": "^4.17.1 || ^5",
     "typescript": "^5.1.0",
-    "react-router": "7.4.0"
+    "react-router": "7.4.1"
   },
   "peerDependenciesMeta": {
     "typescript": {