To exploit this vulnerability, an attacker needs no special privileges-they simply add the malicious header to requests targeting pages that use loaders in applications running React Router in Framework mode. The first vulnerability, assigned a CVSS score of 7.5, enables attackers to force server-side rendered (SSR) applications to switch to single-page application (SPA) mode by injecting a malicious header. Given the widespread use of React Router in web applications, these vulnerabilities represent a significant security concern requiring prompt attention from development teams. The vulnerability affects React Router versions 7.2.0 through 7.5.1. If a caching system is implemented, this corrupted response can be stored and served to subsequent users, effectively poisoning the cache and creating a denial of service condition. The vulnerabilities specifically target applications using loaders, which are responsible for data fetching in React Router applications. React Router in Framework mode provides a hybrid approach that combines SPA concepts with server-side rendering. According to the advisory: “It is possible to modify pre-rendered data by adding a header to the request, allowing attackers to completely spoof its contents and modify all the values of the data object passed to the HTML”. The React Router team strongly recommends all users to upgrade immediately to mitigate these security risks. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This attack vector enables complete spoofing of content by modifying values in the data object passed to HTML before it reaches users. Both vulnerabilities have been patched in React Router version 7.5.2, released on April 24, 2025.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 28 Apr 2025 10:09:59 +0000