The widely used React Router library, a critical navigation tool for React applications, has resolved two high-severity vulnerabilities (CVE-2025-43864 and CVE-2025-43865) that allowed attackers to spoof content, alter data values, and launch cache-poisoning attacks.
Developers must update to react-router v7.5.2 immediately to mitigate risks.
Key Vulnerabilities and Impacts
1. CVE-2025-43864: DoS via SPA Mode Cache Poisoning
.png
)
Attackers could force server-side rendering (SSR) applications into single-page application (SPA) mode by injecting the X-React-Router-SPA-Mode header.
This triggers errors that corrupt pages and-if cached-render entire applications unusable.
2. CVE-2025-43865: Pre-Render Data Spoofing
By exploiting the X-React-Router-Prerender-Data header, attackers could manipulate pre-rendered data to overwrite server-side values.
This allows content spoofing, phishing, or even stored XSS attacks if data is mishandled client-side.
Technical Breakdown of Vulnerabilities
| CVE ID | CVE-2025-43864 | CVE-2025-43865 |
| Severity | High (CVSS 7.5) | High (CVSS 8.3) |
| Affected Versions | 7.2.0 ≤ react-router ≤ 7.5.1 | 7.0.0 ≤ react-router ≤ 7.5.1 |
| Patched Version | 7.5.2 | 7.5.2 |
| Attack Vector | Inject X-React-Router-SPA-Mode header | Inject X-React-Router-Prerender-Data header |
| Primary Risk | Cache poisoning leading to application DoS | Data spoofing, content manipulation, XSS |
How the Exploits Work
- Forcing SPA Mode (CVE-2025-43864):
Attackers send requests with the malicious header to SSR endpoints using loaders. This triggers errors that cache systems store, making the corrupted response permanent until cache invalidation. - Data Spoofing (CVE-2025-43865):
Attackers intercept pre-rendered data requests (e.g., /page.data), modify values in the header, and serve poisoned content. If cached, all users see the falsified data.
- Upgrade Immediately: Update to react-router v7.5.2.
- Purge Caches: Invalidate cached responses to remove poisoned entries.
- Monitor Headers: Block or sanitize X-React-Router-SPA-Mode and X-React-Router-Prerender-Data headers at the network layer.
- Audit Loaders: Review server-side loaders for unintended data exposure.
Cybersecurity firm Cold-Try, which discovered the flaws, warns:
“These vulnerabilities highlight the risks of improper header handling in SSR frameworks. Organizations using React Router must act swiftly- attackers can exploit these issues with minimal effort.”
React Router’s updates address critical gaps in header validation and data integrity.
With over 20 million weekly downloads on npm, this library’s security is vital to the global React ecosystem. Developers should prioritize patching and monitor for unusual header activity.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
.){kind=link}