@react-router/express is an Express server request handler for React Router

Affected versions of this package are vulnerable to HTTP Request Smuggling via Host or X-Forwarded-Host headers. An attacker can spoof the URL used in an incoming request's Host or X-Forwarded-Host header by passing in a URL pathname as the port of a URL.

dtale is a Web Client for Visualizing Pandas Objects

Affected versions of this package are vulnerable to Arbitrary Command Injection by modifying the global application settings to enable enable_custom_filters. The attacker can then exploit access to the /dtale/test-filter endpoint to execute arbitrary commands.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to the custom UndertowHeaderFilterStrategy only filtering outgoing and not incoming headers. An attacker can manipulate header entries to invoke arbitrary methods from the Bean registry or use expressions as part of the method parameters, leading to unauthorized actions on components like camel-bean and camel-exec.

This vulnerability is a special case of the vulnerabilities described in CVE-2025-27636 and CVE-2025-29891, applying only to the Undertow component.