React Router Vulnerabilities CVE-2025-43864 and CVE-2025-43865 Expose Web Applications to Attack
Ddos 
The React Router team has issued the advisory addressing two vulnerabilities affecting applications running in Framework mode: CVE-2025-43864 and CVE-2025-43865. Given React Router’s widespread usage — with nearly 14 million downloads weekly — these flaws pose a serious risk to web application integrity and availability.
CVE-2025-43864 (CVSS 7.5): Cache Poisoning via Forced SPA Mode
Researchers discovered that by sending a specially crafted request containing the header X-React-Router-SPA-Mode, an attacker can force a server-side rendered (SSR) application to switch to single-page application (SPA) mode. As the advisory explains: “If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page.”
If a caching mechanism is active, the corrupted response can be stored, resulting in cache poisoning that disrupts access for legitimate users.
CVE-2025-43865 (CVSS 8.2): Pre-Render Data Spoofing
A second vulnerability allows attackers to modify pre-rendered data by injecting a malicious X-React-Router-Prerender-Data header. This header accepts a JSON object which, if structured correctly, can alter the page’s data before it reaches users.
According to the React Router advisory: “It is possible to modify pre-rendered data by adding a header to the request… allowing attackers to completely spoof its contents and modify all the values of the data object passed to the HTML.”
This creates opportunities for:
- Cache poisoning attacks.
- Content tampering.
- Potential stored XSS vulnerabilities depending on client-side data handling.
Impact and Affected Versions
Both vulnerabilities affect:
- React Router versions >=7.0 and <=7.5.1.
Patched Version:
- 7.5.2 resolves both vulnerabilities.
Donate