Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/761409?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/761409?format=api", "purl": "pkg:npm/react-router@0.0.0-nightly-7de375944-20250206", "type": "npm", "namespace": "", "name": "react-router", "version": "0.0.0-nightly-7de375944-20250206", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.0.0", "latest_non_vulnerable_version": "7.12.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/25415?format=api", "vulnerability_id": "VCID-98v3-32bv-2qg9", "summary": "React Router allows a DoS via cache poisoning by forcing SPA mode\n## Summary\nAfter some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application.\n\n## Details\nThe vulnerable header is `X-React-Router-SPA-Mode`; adding it to a request sent to a page/endpoint using a loader throws an error. Here is [the vulnerable code](https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407) :\n\n<img width=\"672\" alt=\"Capture d’écran 2025-04-07 à 08 28 20\" src=\"https://github.com/user-attachments/assets/0a0e9c41-70fd-4dba-9061-892dd6797291\" />\n\nTo use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.\n\n## Steps to reproduce \nVersions used for our PoC: \n- \"@react-router/node\": \"^7.5.0\",\n- \"@react-router/serve\": \"^7.5.0\",\n- \"react\": \"^19.0.0\"\n- \"react-dom\": \"^19.0.0\"\n- \"react-router\": \"^7.5.0\"\n\n1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)\n2. Add a simple page using a loader (example: `routes/ssr`)\n\n\n\n3. Send a request to the endpoint using the loader (`/ssr` in our case) adding the following header:\n```\nX-React-Router-SPA-Mode: yes\n```\n\nNotice the difference between a request with and without the header;\n\n**Normal request**\n\n\n**With the header**\n\n\n\n## Impact\nIf a system cache is in place, it is possible to poison the response by completely altering its content (*by an error message*), strongly impacting its availability, making the latter impractical via a cache-poisoning attack.\n\n## Credits\n- Rachid Allam (zhero;)\n- Yasser Allam (inzo_)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-43864.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-43864.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43864", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00374", "scoring_system": "epss", "scoring_elements": "0.59108", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00374", "scoring_system": "epss", "scoring_elements": "0.59122", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00374", "scoring_system": "epss", "scoring_elements": "0.59103", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00374", "scoring_system": "epss", "scoring_elements": "0.59123", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00374", "scoring_system": "epss", "scoring_elements": "0.59143", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00374", "scoring_system": "epss", "scoring_elements": "0.59139", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00374", "scoring_system": "epss", "scoring_elements": "0.5914", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00374", "scoring_system": "epss", "scoring_elements": "0.59121", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00374", "scoring_system": "epss", "scoring_elements": "0.59102", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00374", "scoring_system": "epss", "scoring_elements": "0.5908", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00374", "scoring_system": "epss", "scoring_elements": "0.59118", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00374", "scoring_system": "epss", "scoring_elements": "0.59067", "published_at": "2026-04-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43864" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/remix-run/react-router", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/remix-run/react-router" }, { "reference_url": "https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:17:49Z/" } ], "url": "https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407" }, { "reference_url": "https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:17:49Z/" } ], "url": "https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111" }, { "reference_url": "https://github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:17:49Z/" } ], "url": "https://github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43864", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43864" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362232", "reference_id": "2362232", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362232" }, { "reference_url": "https://github.com/advisories/GHSA-f46r-rw29-r322", "reference_id": "GHSA-f46r-rw29-r322", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f46r-rw29-r322" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/761503?format=api", "purl": "pkg:npm/react-router@0.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/react-router@0.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/68647?format=api", "purl": "pkg:npm/react-router@7.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1khb-1639-afhf" }, { "vulnerability": "VCID-2bdv-sysu-ryef" }, { "vulnerability": "VCID-7nah-t7y2-zfcy" }, { "vulnerability": "VCID-hwnh-8gqs-8fgj" }, { "vulnerability": "VCID-y2ce-z8tu-y7e5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/react-router@7.5.2" } ], "aliases": [ "CVE-2025-43864", "GHSA-f46r-rw29-r322" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-98v3-32bv-2qg9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/25437?format=api", "vulnerability_id": "VCID-fvgg-y3kj-wyew", "summary": "React Router allows pre-render data spoofing on React-Router framework mode\n## Summary\nAfter some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted.\n\n## Details\nThe vulnerable header is `X-React-Router-Prerender-Data`, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is [the vulnerable code](https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87) :\n\n<img width=\"776\" alt=\"Capture d’écran 2025-04-07 à 05 36 58\" src=\"https://github.com/user-attachments/assets/c95b0b33-15ce-4d30-9f5e-b10525dd6ab4\" />\n\nTo use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.\n\n## Steps to reproduce \nVersions used for our PoC: \n- \"@react-router/node\": \"^7.5.0\",\n- \"@react-router/serve\": \"^7.5.0\",\n- \"react\": \"^19.0.0\"\n- \"react-dom\": \"^19.0.0\"\n- \"react-router\": \"^7.5.0\"\n\n1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)\n2. Add a simple page using a loader (example: `routes/ssr`)\n3. Access your page (*which uses the loader*) by suffixing it with `.data`. In our case the page is called `/ssr`:\n\n\n\nWe access it by adding the suffix `.data` and retrieve the data object, needed for the header:\n\n\n\n4. Send your request by adding the `X-React-Router-Prerender-Data` header with the previously retrieved object as its value. You can change any value of your `data` object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):\n\n\n\nAs you can see, all values have been changed/overwritten by the values provided via the header. \n\n## Impact\nThe impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.\n\n## Credits\n- Rachid Allam (zhero;)\n- Yasser Allam (inzo_)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-43865.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-43865.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43865", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52558", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52595", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52584", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52634", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52648", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52641", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52603", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52617", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52537", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52583", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52589", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52571", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52544", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00292", "scoring_system": "epss", "scoring_elements": "0.52633", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43865" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/remix-run/react-router", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/remix-run/react-router" }, { "reference_url": "https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:11:14Z/" } ], "url": "https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87" }, { "reference_url": "https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:11:14Z/" } ], "url": "https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111" }, { "reference_url": "https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:11:14Z/" } ], "url": "https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43865", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43865" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362231", "reference_id": "2362231", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362231" }, { "reference_url": "https://github.com/advisories/GHSA-cpj6-fhp6-mr6j", "reference_id": "GHSA-cpj6-fhp6-mr6j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cpj6-fhp6-mr6j" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:13904", "reference_id": "RHSA-2025:13904", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:13904" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/761503?format=api", "purl": "pkg:npm/react-router@0.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/react-router@0.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/68647?format=api", "purl": "pkg:npm/react-router@7.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1khb-1639-afhf" }, { "vulnerability": "VCID-2bdv-sysu-ryef" }, { "vulnerability": "VCID-7nah-t7y2-zfcy" }, { "vulnerability": "VCID-hwnh-8gqs-8fgj" }, { "vulnerability": "VCID-y2ce-z8tu-y7e5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/react-router@7.5.2" } ], "aliases": [ "CVE-2025-43865", "GHSA-cpj6-fhp6-mr6j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fvgg-y3kj-wyew" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/react-router@0.0.0-nightly-7de375944-20250206" }