Critical React Router Flaws Affects Framework Mode Applications

Security researchers have identified two high-severity vulnerabilities in React Router, a popular routing library for React applications. The flaws affecting versions 7.0 through 7.5.1 could allow attackers to conduct denial-of-service attacks and data spoofing through cache poisoning techniques.

Both vulnerabilities specifically target applications using React Router in Framework mode and primarily affect routes that implement loaders, according to security advisories published by researchers Rachid Allam (zhero) and Yasser Allam (inzo_) from the security research group cold-try.

The first vulnerability (CVE-2025-43864) allows attackers to force an application to switch to Single-Page Application (SPA) mode by simply adding the X-React-Router-SPA-Mode header to HTTP requests. When applications using Server-Side Rendering (SSR) are forced into SPA mode, they generate errors that completely corrupt the page rendering.

What makes this vulnerability particularly concerning is its potential for cache poisoning. If the application uses a caching system, the error-laden responses can be cached, resulting in persistent service disruption for all users attempting to access the affected routes.

The second vulnerability (CVE-2025-43865) involves a header called X-React-Router-Prerender-Data that can be exploited to manipulate pre-rendered data. Attackers can first access a page's data by appending ".data" to the route URL, retrieve the data structure, modify its values, and then send requests with the altered data via the vulnerable header.

"The impact is significant," the researchers note in their advisory. "If a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker, allowing him to take control of the content of the page." They further warn that this could lead to stored cross-site scripting (XSS) attacks depending on how the data is used.

Both vulnerabilities received high severity ratings, with CVSS scores of 7.5 and 8.2, respectively, reflecting their network attack vector, low complexity, and significant impact on application availability and integrity.

React Router's maintainers have addressed these security issues in version 7.5.2. Organizations using affected versions are strongly advised to update immediately to mitigate these risks.

The discovery highlights the importance of careful header validation in web frameworks and the potential security implications of features that alter application behavior based on HTTP headers, especially in applications that implement caching mechanisms.