CVE-2025-43865
📋 TL;DR
React Router versions 7.0.x before 7.5.2 allow attackers to modify pre-rendered data by adding specific headers to requests, enabling complete spoofing of data passed to HTML. This affects any React application using vulnerable React Router versions for server-side rendering. Attackers can manipulate data that users see and interact with.
💻 Affected Systems
- React Router
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete data manipulation leading to content spoofing, misinformation propagation, or injection of malicious content that users trust as legitimate application data.
Likely Case
Attackers modify displayed data to mislead users, potentially altering prices, messages, or other dynamic content without changing underlying application logic.
If Mitigated
With proper input validation and header filtering, impact is limited to attempted attacks that get blocked before reaching the rendering layer.
🎯 Exploit Status
Exploitation requires sending HTTP requests with specific headers to modify pre-rendered data. No authentication needed if endpoint is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.5.2
Vendor Advisory: https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j
Restart Required: Yes
Instructions:
1. Update React Router dependency to version 7.5.2 or later. 2. Run 'npm update @remix-run/router react-router-dom' or equivalent for your package manager. 3. Restart your application server. 4. Test that server-side rendering functions correctly.
🔧 Temporary Workarounds
Implement header validation middleware
allAdd server-side middleware to filter or reject requests containing suspicious headers that could manipulate pre-rendered data.
Disable server-side rendering for sensitive routes
allConfigure React Router to use client-side rendering only for routes where data manipulation would be critical.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit impact of any injected content
- Deploy a web application firewall (WAF) configured to block requests with headers attempting to manipulate pre-rendered data
🔍 How to Verify
Check if Vulnerable:
Check package.json or lock file for React Router version. If version is between 7.0.0 and 7.5.1 inclusive, the application is vulnerable if using server-side rendering.Check Version:
npm list @remix-run/router react-router-dom | grep 'react-router'Verify Fix Applied:
Confirm React Router version is 7.5.2 or higher in package.json and that server-side rendering functions correctly without data manipulation via headers.📡 Detection & Monitoring
Log Indicators:
- Unusual header patterns in HTTP request logs
- Multiple requests with similar payloads but different header values
- Errors in server-side rendering logs
Network Indicators:
- HTTP requests with headers attempting to override pre-rendered data parameters
- Unusual traffic patterns to SSR endpoints
SIEM Query:
http.request.headers contains 'X-React-Router-Data' OR http.request.headers contains suspicious data manipulation patterns🔗 References
- https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87
- https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111
- https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j
