React Router Vulnerabilities Let Attackers Spoof Contents & Modify Values

Significant security flaws have been discovered in React Router, a widely-used routing library for React applications, potentially allowing attackers to corrupt content, poison caches, and manipulate pre-rendered data. 

The vulnerabilities, which impact applications running in Framework mode with server-side rendering (SSR) and loaders, could be exploited remotely with no user interaction or privileges required. 

Both issues have been patched as of version 7.5.2, but millions of applications may remain at risk until updated.

Cache Poisoning via Forced SPA Mode (CVE-2025-43864)

The first vulnerability, assigned a CVSS score of 7.5, enables attackers to force server-side rendered (SSR) applications to switch to single-page application (SPA) mode by injecting a malicious header.

“Adding the X-React-Router-SPA-Mode header to a request sent to a page using a loader throws an error that completely corrupts the page,” explains the security advisory. 

When the application uses SSR and is forced to switch to SPA mode unexpectedly, it generates an error that significantly alters the page content.

The vulnerability affects React Router versions 7.2.0 through 7.5.1. If a caching system is implemented, this corrupted response can be stored and served to subsequent users, effectively poisoning the cache and creating a denial of service condition.

To exploit this vulnerability, an attacker needs no special privileges-they simply add the malicious header to requests targeting pages that use loaders in applications running React Router in Framework mode.

Risk Factors	Details
Affected Products	React Router (npm package) versions >= 7.2.0, <= 7.5.1
Impact	Denial of Service (DoS)
Exploit Prerequisites	– Application must use React Router in Framework mode- Target page must use a loader- No privileges needed- No user interaction required- Attacker can inject X-React-Router-SPA-Mode header via network request
CVSS 3.1 Score	7.5 (High)

Pre-Render Data Spoofing (CVE-2025-43865)

The second, more severe vulnerability (CVSS 8.2) allows attackers to manipulate pre-rendered data by injecting a specially crafted X-React-Router-Prerender-Data header. 

This attack vector enables complete spoofing of content by modifying values in the data object passed to HTML before it reaches users.

According to the advisory: “It is possible to modify pre-rendered data by adding a header to the request, allowing attackers to completely spoof its contents and modify all the values of the data object passed to the HTML”.

This vulnerability affects a broader range of versions, from 7.0 to 7.5.1. The impact is significant, potentially enabling:

• Content manipulation.
• Cache poisoning attacks.
• Possible stored XSS vulnerabilities depending on how client-side data handling is implemented.

React Router in Framework mode provides a hybrid approach that combines SPA concepts with server-side rendering. By default, it enables SSR but can be configured to run in SPA mode by setting ssr:false in the react-router.config.ts file.

The vulnerabilities specifically target applications using loaders, which are responsible for data fetching in React Router applications.

Risk Factors	Details
Affected Products	React Router (npm package) versions >= 7.0, <= 7.5.1
Impact	Cache poisoning with arbitrary data
Exploit Prerequisites	– Application must use React Router in Framework mode- Target page must use a loader- Attacker can inject X-React-Router-Prerender-Data header with crafted JSON- No privileges or user interaction required
CVSS 3.1 Score	8.2 (High)

Remediation

Both vulnerabilities have been patched in React Router version 7.5.2, released on April 24, 2025. The React Router team strongly recommends all users to upgrade immediately to mitigate these security risks.

Organizations using React Router should:

• Immediately update to version 7.5.2 or later.
• Implement proper header validation if running custom caching layers.
• Review application logs for potential exploitation attempts containing these malicious headers.
• Consider implementing content security policies to provide additional protection.

Given the widespread use of React Router in web applications, these vulnerabilities represent a significant security concern requiring prompt attention from development teams.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.