VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-98v3-32bv-2qg9

Essentials
Severities (29)
References (10)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-98v3-32bv-2qg9
Aliases	CVE-2025-43864 GHSA-f46r-rw29-r322
Summary	React Router allows a DoS via cache poisoning by forcing SPA mode ## Summary After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application. ## Details The vulnerable header is `X-React-Router-SPA-Mode`; adding it to a request sent to a page/endpoint using a loader throws an error. Here is [the vulnerable code](https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407) : <img width="672" alt="Capture d’écran 2025-04-07 à 08 28 20" src="https://github.com/user-attachments/assets/0a0e9c41-70fd-4dba-9061-892dd6797291" /> To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader. ## Steps to reproduce Versions used for our PoC: - "@react-router/node": "^7.5.0", - "@react-router/serve": "^7.5.0", - "react": "^19.0.0" - "react-dom": "^19.0.0" - "react-router": "^7.5.0" 1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation) 2. Add a simple page using a loader (example: `routes/ssr`) ![image](https://github.com/user-attachments/assets/d7d04e86-c549-4f4a-9200-2d1b6ac96aad) 3. Send a request to the endpoint using the loader (`/ssr` in our case) adding the following header: ``` X-React-Router-SPA-Mode: yes ``` Notice the difference between a request with and without the header; Normal request ![Capture d’écran 2025-04-07 à 08 36 27](https://github.com/user-attachments/assets/da372b70-7c68-41c1-aac1-e5be94f22526) With the header ![Capture d’écran 2025-04-07 à 08 37 01](https://github.com/user-attachments/assets/98101720-cb5b-44e9-bff5-463c0b4dab2a) ![image](https://github.com/user-attachments/assets/c16a101e-688c-4757-9e05-61308ed8a2de) ## Impact If a system cache is in place, it is possible to poison the response by completely altering its content (by an error message), strongly impacting its availability, making the latter impractical via a cache-poisoning attack. ## Credits - Rachid Allam (zhero;) - Yasser Allam (inzo_)
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-755	Improper Handling of Exceptional Conditions
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-43864.json
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2025-43864
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2025-43864
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2025-43864
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2025-43864
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2025-43864
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2025-43864
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2025-43864
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2025-43864
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2025-43864
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2025-43864
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2025-43864
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2025-43864
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-f46r-rw29-r322
cvssv3.1	7.5	https://github.com/remix-run/react-router
generic_textual	HIGH	https://github.com/remix-run/react-router
cvssv3.1	7.5	https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407
generic_textual	HIGH	https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407
ssvc	Track	https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407
cvssv3.1	7.5	https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111
generic_textual	HIGH	https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111
ssvc	Track	https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111
cvssv3.1	7.5	https://github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322
cvssv3.1_qr	HIGH	https://github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322
generic_textual	HIGH	https://github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322
ssvc	Track	https://github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2025-43864
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-43864

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-43864.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-43864
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/remix-run/react-router
		https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407
		https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111
		https://github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322
		https://nvd.nist.gov/vuln/detail/CVE-2025-43864
2362232		https://bugzilla.redhat.com/show_bug.cgi?id=2362232
GHSA-f46r-rw29-r322		https://github.com/advisories/GHSA-f46r-rw29-r322

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-43864.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/remix-run/react-router

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:17:49Z/ Found at https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:17:49Z/ Found at https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:17:49Z/ Found at https://github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-43864

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.5908
EPSS Score	0.00374
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:54:51.379337+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-f46r-rw29-r322/GHSA-f46r-rw29-r322.json	38.0.0