CVE-2025-43865
published 2025-04-25CVE-2025-43865: React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the…
PriorityP345high8.2CVSS 3.1
AVNACLPRNUINSUCNILAH
EPSS
0.74%
49.9th percentile
React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. This issue has been patched in version 7.5.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| remix-run | react-router | — | — |
| remix-run | react-router | >= 7.0.0-pre.0 < 7.5.2 | 7.5.2 |
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
React Router allows pre-render data spoofing on React-Router framework mode
osv·2025-04-24
CVE-2025-43865 [HIGH] React Router allows pre-render data spoofing on React-Router framework mode
React Router allows pre-render data spoofing on React-Router framework mode
## Summary
After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted.
## Details
The vulnerable header is `X-React-Router-Prerender-Data`, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is [the vulnerable code](https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87) :
To use the header, React-router must be used in Framework mode, and for the attack to be possib
GHSA
React Router allows pre-render data spoofing on React-Router framework mode
ghsa·2025-04-24
CVE-2025-43865 [HIGH] CWE-345 React Router allows pre-render data spoofing on React-Router framework mode
React Router allows pre-render data spoofing on React-Router framework mode
## Summary
After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted.
## Details
The vulnerable header is `X-React-Router-Prerender-Data`, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is [the vulnerable code](https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87) :
To use the header, React-router must be used in Framework mode, and for the attack to be possib
Red Hat
react-router: React Router allows pre-render data spoofing on React-Router framework mode
vendor_redhat·2025-04-25·CVSS 8.2
CVE-2025-43865 [HIGH] CWE-345 react-router: React Router allows pre-render data spoofing on React-Router framework mode
react-router: React Router allows pre-render data spoofing on React-Router framework mode
React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. This issue has been patched in version 7.5.2.
A flaw was found in React Router. This vulnerability allows an attacker to spoof pre-rendered data and potentially poison the cache via the X-React-Router-Prerender-Data header, enabling arbitrary content injection on the target page.
Statement: The severity of this vulnerability is rated Moderate, as it does not impact system availability. The effects are confined to the applica
No detection rules found.
No public exploits indexed.
https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j
2025-04-25
Published