CVE-2025-43865

Published Apr 25, 2025

Last updated 9 days ago

CVSS high 8.2
React Router

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-43865 is a vulnerability affecting React Router, a routing library for React applications. Specifically, versions on the 7.0 branch prior to 7.5.2 are susceptible. The vulnerability stems from the possibility of modifying pre-rendered data by adding a header to the request. By exploiting this vulnerability, an attacker can completely spoof the contents and modify all the values of the data object passed to the HTML. This is achieved by manipulating the `X-React-Router-Prerender-Data` header. The issue has been addressed and patched in version 7.5.2 of React Router.

Description
React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. This issue has been patched in version 7.5.2.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Insights

Analysis from the Intruder Security Team
Published Apr 28, 2025 Updated Apr 28, 2025

If caching is in use on this application, it is likely this can be used to poison the cache, causing the modified data to be shown to other users.

There is also potential to then use this for cross-site scripting, although, this would depend on how the data is processed by the client, and will not be the case for all applications.

In order for this application to be vulnerable, React Router must be used in Framework mode.

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.2
Impact score
4.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-345

Social media

Hype score
Not currently trending
  1. 🚨 React Router has patched two high-severity vulnerabilities (CVE-2025-43864 & CVE-2025-43865) that could allow content spoofing and service disruption. Upgrade to 7.5.2 to stay secure! 🇺🇸 #ReactRouter #AppSecurity link: https://t.co/8jMF0Tm2UO https://t.co/iURgCEzH

    @TweetThreatNews

    28 Apr 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 Security Alert for #ReactRouter & #RemixJS users! Two high-severity cache poisoning bugs (CVE-2025-43864 & CVE-2025-43865) can cause DoS & stored XSS. 🔄 Upgrade to v7.5.2+ 🧹 Purge all caches ⚙️ Review caching settings Stay safe! 🔒 #WebSecurity #D

    @KasunLuckshitha

    28 Apr 2025

    136 Impressions

    2 Retweets

    7 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  3. 🚨Alert🚨 two new vulnerabilities in React Router CVE-2025-43864: DoS via cache poisoning by forcing SPA mode CVE-2025-43865: Pre-render data spoofing on React-Router framework mode 🔥PoC from @zhero___ & @inzo____ : CVE-2025-43864:https://t.co/hfhSnQ6p8F https://t.co/

    @HunterMapping

    28 Apr 2025

    2861 Impressions

    11 Retweets

    44 Likes

    20 Bookmarks

    0 Replies

    0 Quotes

  4. React Router Vulnerabilities CVE-2025-43864 and CVE-2025-43865 Expose Web Applications to Attack https://t.co/nPQfc8BuPJ

    @the_yellow_fall

    28 Apr 2025

    373 Impressions

    3 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. React Routerチームは、フレームワークモードで動作するアプリケーションに影響を与える2件の脆弱性(CVE-2025-43864およびCVE-2025-43865)に関する注意喚起を発表した。 React Routerは週に約1,400万回ダウンロードされ

    @yousukezan

    28 Apr 2025

    951 Impressions

    4 Retweets

    5 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  6. We've rolled out a mitigation to protect all Cloudflare customers from the recent vulnerabilities in Remix and React Router (CVE-2025-43864 and CVE-2025-43865).

    @CloudflareDev

    27 Apr 2025

    48083 Impressions

    29 Retweets

    561 Likes

    58 Bookmarks

    9 Replies

    8 Quotes

  7. Threat Alert: Critical React Router Flaws Affects Framework Mode Applications CVE-2025-43864 CVE-2025-43865 Severity: ⚠️ Critical Maturity: 💢 Emerging Learn more: https://t.co/ab48UY6eal #CyberSecurity #ThreatIntel #InfoSec (1/3)

    @fletch_ai

    27 Apr 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. Vercel customers are protected from two high-severity vulnerabilities (CVE-2025-43864 and CVE-2025-43865) in Remix and React Router. Read our advisory to understand impact and next steps. https://t.co/jmPW2qHxWA

    @vercel_changes

    26 Apr 2025

    107221 Impressions

    6 Retweets

    54 Likes

    15 Bookmarks

    0 Replies

    3 Quotes

  9. React Routerでヘッダ経由でレスポンスを上書きできる脆弱性 "React Router allows pre-render data spoofing on React-Router framework mode · CVE-2025-43865 · GitHub Advisory Database" https://t.co/CGCbtxmzfk

    @azu_re

    26 Apr 2025

    1811 Impressions

    3 Retweets

    7 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  10. 🚨 CVE-2025-43865 🔴 HIGH (8.2) 🏢 remix-run - react-router 🏗️ >= 7.0, < 7.5.2 🔗 https://t.co/tg8NZCq7Ne 🔗 https://t.co/7QnIjVRwSH 🔗 https://t.co/ozSBW1pSpH #CyberCron #VulnAlert #InfoSec https://t.co/ThxHqUIBdT

    @cybercronai

    25 Apr 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. CVE-2025-43865 React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request.… https://t.co/tjecHQD72R

    @CVEnew

    25 Apr 2025

    233 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. another research effort with @inzo____ led to the discovery of two new vulnerabilities in React Router (14M+ downloads/week), resulting in: - CVE-2025-43865 (High-8.2) - CVE-2025-43864 (High-7.5) https://t.co/ooTe702fat

    @zhero___

    24 Apr 2025

    21739 Impressions

    46 Retweets

    407 Likes

    160 Bookmarks

    19 Replies

    3 Quotes