{"url":"http://public2.vulnerablecode.io/api/packages/761500?format=json","purl":"pkg:npm/react-router@0.0.0-nightly-f763fd2eb-20241122","type":"npm","namespace":"","name":"react-router","version":"0.0.0-nightly-f763fd2eb-20241122","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.0.0","latest_non_vulnerable_version":"7.12.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/25415?format=json","vulnerability_id":"VCID-98v3-32bv-2qg9","summary":"React Router allows a DoS via cache poisoning by forcing SPA mode\n## Summary\nAfter some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application.\n\n## Details\nThe vulnerable header is `X-React-Router-SPA-Mode`; adding it to a request sent to a page/endpoint using a loader throws an error. Here is [the vulnerable code](https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407) :\n\n<img width=\"672\" alt=\"Capture d’écran 2025-04-07 à 08 28 20\" src=\"https://github.com/user-attachments/assets/0a0e9c41-70fd-4dba-9061-892dd6797291\" />\n\nTo use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.\n\n## Steps to reproduce \nVersions used for our PoC: \n- \"@react-router/node\": \"^7.5.0\",\n- \"@react-router/serve\": \"^7.5.0\",\n- \"react\": \"^19.0.0\"\n- \"react-dom\": \"^19.0.0\"\n- \"react-router\": \"^7.5.0\"\n\n1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)\n2. Add a simple page using a loader (example: `routes/ssr`)\n\n![image](https://github.com/user-attachments/assets/d7d04e86-c549-4f4a-9200-2d1b6ac96aad)\n\n3. Send a request to the endpoint using the loader (`/ssr` in our case) adding the following header:\n```\nX-React-Router-SPA-Mode: yes\n```\n\nNotice the difference between a request with and without the header;\n\n**Normal request**\n![Capture d’écran 2025-04-07 à 08 36 27](https://github.com/user-attachments/assets/da372b70-7c68-41c1-aac1-e5be94f22526)\n\n**With the header**\n![Capture d’écran 2025-04-07 à 08 37 01](https://github.com/user-attachments/assets/98101720-cb5b-44e9-bff5-463c0b4dab2a)\n![image](https://github.com/user-attachments/assets/c16a101e-688c-4757-9e05-61308ed8a2de)\n\n## Impact\nIf a system cache is in place, it is possible to poison the response by completely altering its content (*by an error message*), strongly impacting its availability, making the latter impractical via a cache-poisoning attack.\n\n## Credits\n- Rachid Allam (zhero;)\n- Yasser Allam (inzo_)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-43864.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-43864.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-43864","reference_id":"","reference_type":"","scores":[{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59108","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59122","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59103","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59123","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59143","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59139","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.5914","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59121","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59102","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.5908","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59118","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00374","scoring_system":"epss","scoring_elements":"0.59067","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-43864"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/remix-run/react-router","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/remix-run/react-router"},{"reference_url":"https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:17:49Z/"}],"url":"https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407"},{"reference_url":"https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:17:49Z/"}],"url":"https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111"},{"reference_url":"https://github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:17:49Z/"}],"url":"https://github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-43864","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-43864"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2362232","reference_id":"2362232","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2362232"},{"reference_url":"https://github.com/advisories/GHSA-f46r-rw29-r322","reference_id":"GHSA-f46r-rw29-r322","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f46r-rw29-r322"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/761503?format=json","purl":"pkg:npm/react-router@0.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/react-router@0.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/68647?format=json","purl":"pkg:npm/react-router@7.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1khb-1639-afhf"},{"vulnerability":"VCID-2bdv-sysu-ryef"},{"vulnerability":"VCID-7nah-t7y2-zfcy"},{"vulnerability":"VCID-hwnh-8gqs-8fgj"},{"vulnerability":"VCID-y2ce-z8tu-y7e5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/react-router@7.5.2"}],"aliases":["CVE-2025-43864","GHSA-f46r-rw29-r322"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-98v3-32bv-2qg9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/25437?format=json","vulnerability_id":"VCID-fvgg-y3kj-wyew","summary":"React Router allows pre-render data spoofing on React-Router framework mode\n## Summary\nAfter some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. Latest versions are impacted.\n\n## Details\nThe vulnerable header is `X-React-Router-Prerender-Data`, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is [the vulnerable code](https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87) :\n\n<img width=\"776\" alt=\"Capture d’écran 2025-04-07 à 05 36 58\" src=\"https://github.com/user-attachments/assets/c95b0b33-15ce-4d30-9f5e-b10525dd6ab4\" />\n\nTo use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.\n\n## Steps to reproduce \nVersions used for our PoC: \n- \"@react-router/node\": \"^7.5.0\",\n- \"@react-router/serve\": \"^7.5.0\",\n- \"react\": \"^19.0.0\"\n- \"react-dom\": \"^19.0.0\"\n- \"react-router\": \"^7.5.0\"\n\n1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)\n2. Add a simple page using a loader (example: `routes/ssr`)\n3. Access your page (*which uses the loader*) by suffixing it with `.data`. In our case the page is called `/ssr`:\n\n![image](https://github.com/user-attachments/assets/d7d04e86-c549-4f4a-9200-2d1b6ac96aad)\n\nWe access it by adding the suffix `.data` and retrieve the data object, needed for the header:\n\n![image](https://github.com/user-attachments/assets/ea0ca23e-6ba5-49c1-980d-1b04a05acf56)\n\n4. Send your request by adding the `X-React-Router-Prerender-Data` header with the previously retrieved object as its value. You can change any value of your `data` object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):\n\n![Capture d’écran 2025-04-07 à 05 56 10](https://github.com/user-attachments/assets/42ca7c9e-5cd3-4eff-9711-1e78755c9046)\n\nAs you can see, all values ​​have been changed/overwritten by the values ​​provided via the header. \n\n## Impact\nThe impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.\n\n## Credits\n- Rachid Allam (zhero;)\n- Yasser Allam (inzo_)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-43865.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-43865.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-43865","reference_id":"","reference_type":"","scores":[{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52558","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52595","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52584","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52634","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52648","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52641","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52603","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52617","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52537","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52583","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52589","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52571","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52544","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00292","scoring_system":"epss","scoring_elements":"0.52633","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-43865"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/remix-run/react-router","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/remix-run/react-router"},{"reference_url":"https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:11:14Z/"}],"url":"https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87"},{"reference_url":"https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:11:14Z/"}],"url":"https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111"},{"reference_url":"https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-25T15:11:14Z/"}],"url":"https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-43865","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-43865"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2362231","reference_id":"2362231","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2362231"},{"reference_url":"https://github.com/advisories/GHSA-cpj6-fhp6-mr6j","reference_id":"GHSA-cpj6-fhp6-mr6j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cpj6-fhp6-mr6j"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:13904","reference_id":"RHSA-2025:13904","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:13904"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/761503?format=json","purl":"pkg:npm/react-router@0.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/react-router@0.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/68647?format=json","purl":"pkg:npm/react-router@7.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1khb-1639-afhf"},{"vulnerability":"VCID-2bdv-sysu-ryef"},{"vulnerability":"VCID-7nah-t7y2-zfcy"},{"vulnerability":"VCID-hwnh-8gqs-8fgj"},{"vulnerability":"VCID-y2ce-z8tu-y7e5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/react-router@7.5.2"}],"aliases":["CVE-2025-43865","GHSA-cpj6-fhp6-mr6j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fvgg-y3kj-wyew"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/react-router@0.0.0-nightly-f763fd2eb-20241122"}