CVE-2025-43865 is a vulnerability affecting React Router, a routing library for React applications. Specifically, versions on the 7.0 branch prior to 7.5.2 are susceptible. The vulnerability stems from the possibility of modifying pre-rendered data by adding a header to the request. By exploiting this vulnerability, an attacker can completely spoof the contents and modify all the values of the data object passed to the HTML. This is achieved by manipulating the `X-React-Router-Prerender-Data` header. The issue has been addressed and patched in version 7.5.2 of React Router.
If caching is in use on this application, it is likely this can be used to poison the cache, causing the modified data to be shown to other users.
There is also potential to then use this for cross-site scripting, although, this would depend on how the data is processed by the client, and will not be the case for all applications.
In order for this application to be vulnerable, React Router must be used in Framework mode.
🚨 React Router has patched two high-severity vulnerabilities (CVE-2025-43864 & CVE-2025-43865) that could allow content spoofing and service disruption. Upgrade to 7.5.2 to stay secure! 🇺🇸 #ReactRouter #AppSecurity link: https://t.co/8jMF0Tm2UO https://t.co/iURgCEzH
@TweetThreatNews
28 Apr 2025
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Security Alert for #ReactRouter & #RemixJS users! Two high-severity cache poisoning bugs (CVE-2025-43864 & CVE-2025-43865) can cause DoS & stored XSS. 🔄 Upgrade to v7.5.2+ 🧹 Purge all caches ⚙️ Review caching settings Stay safe! 🔒 #WebSecurity #D
@KasunLuckshitha
28 Apr 2025
136 Impressions
2 Retweets
7 Likes
1 Bookmark
1 Reply
0 Quotes
🚨Alert🚨 two new vulnerabilities in React Router CVE-2025-43864: DoS via cache poisoning by forcing SPA mode CVE-2025-43865: Pre-render data spoofing on React-Router framework mode 🔥PoC from @zhero___ & @inzo____ : CVE-2025-43864:https://t.co/hfhSnQ6p8F https://t.co/
@HunterMapping
28 Apr 2025
2861 Impressions
11 Retweets
44 Likes
20 Bookmarks
0 Replies
0 Quotes
React Router Vulnerabilities CVE-2025-43864 and CVE-2025-43865 Expose Web Applications to Attack https://t.co/nPQfc8BuPJ
@the_yellow_fall
28 Apr 2025
373 Impressions
3 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
React Routerチームは、フレームワークモードで動作するアプリケーションに影響を与える2件の脆弱性(CVE-2025-43864およびCVE-2025-43865)に関する注意喚起を発表した。 React Routerは週に約1,400万回ダウンロードされ
@yousukezan
28 Apr 2025
951 Impressions
4 Retweets
5 Likes
3 Bookmarks
0 Replies
0 Quotes
We've rolled out a mitigation to protect all Cloudflare customers from the recent vulnerabilities in Remix and React Router (CVE-2025-43864 and CVE-2025-43865).
@CloudflareDev
27 Apr 2025
48083 Impressions
29 Retweets
561 Likes
58 Bookmarks
9 Replies
8 Quotes
Threat Alert: Critical React Router Flaws Affects Framework Mode Applications CVE-2025-43864 CVE-2025-43865 Severity: ⚠️ Critical Maturity: 💢 Emerging Learn more: https://t.co/ab48UY6eal #CyberSecurity #ThreatIntel #InfoSec (1/3)
@fletch_ai
27 Apr 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Vercel customers are protected from two high-severity vulnerabilities (CVE-2025-43864 and CVE-2025-43865) in Remix and React Router. Read our advisory to understand impact and next steps. https://t.co/jmPW2qHxWA
@vercel_changes
26 Apr 2025
107221 Impressions
6 Retweets
54 Likes
15 Bookmarks
0 Replies
3 Quotes
React Routerでヘッダ経由でレスポンスを上書きできる脆弱性 "React Router allows pre-render data spoofing on React-Router framework mode · CVE-2025-43865 · GitHub Advisory Database" https://t.co/CGCbtxmzfk
@azu_re
26 Apr 2025
1811 Impressions
3 Retweets
7 Likes
5 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-43865 🔴 HIGH (8.2) 🏢 remix-run - react-router 🏗️ >= 7.0, < 7.5.2 🔗 https://t.co/tg8NZCq7Ne 🔗 https://t.co/7QnIjVRwSH 🔗 https://t.co/ozSBW1pSpH #CyberCron #VulnAlert #InfoSec https://t.co/ThxHqUIBdT
@cybercronai
25 Apr 2025
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-43865 React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request.… https://t.co/tjecHQD72R
@CVEnew
25 Apr 2025
233 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
another research effort with @inzo____ led to the discovery of two new vulnerabilities in React Router (14M+ downloads/week), resulting in: - CVE-2025-43865 (High-8.2) - CVE-2025-43864 (High-7.5) https://t.co/ooTe702fat
@zhero___
24 Apr 2025
21739 Impressions
46 Retweets
407 Likes
160 Bookmarks
19 Replies
3 Quotes
