{ "schema_version": "1.4.0", "id": "GHSA-cpj6-fhp6-mr6j", "modified": "2025-04-25T14:34:15Z", "published": "2025-04-24T16:31:32Z", "aliases": [ "CVE-2025-43865" ], "summary": "React Router allows pre-render data spoofing on React-Router framework mode", "details": "## Summary\nAfter some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. Latest versions are impacted.\n\n## Details\nThe vulnerable header is `X-React-Router-Prerender-Data`, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is [the vulnerable code](https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87) :\n\n\"Capture\n\nTo use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.\n\n## Steps to reproduce \nVersions used for our PoC: \n- \"@react-router/node\": \"^7.5.0\",\n- \"@react-router/serve\": \"^7.5.0\",\n- \"react\": \"^19.0.0\"\n- \"react-dom\": \"^19.0.0\"\n- \"react-router\": \"^7.5.0\"\n\n1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)\n2. Add a simple page using a loader (example: `routes/ssr`)\n3. Access your page (*which uses the loader*) by suffixing it with `.data`. In our case the page is called `/ssr`:\n\n![image](https://github.com/user-attachments/assets/d7d04e86-c549-4f4a-9200-2d1b6ac96aad)\n\nWe access it by adding the suffix `.data` and retrieve the data object, needed for the header:\n\n![image](https://github.com/user-attachments/assets/ea0ca23e-6ba5-49c1-980d-1b04a05acf56)\n\n4. Send your request by adding the `X-React-Router-Prerender-Data` header with the previously retrieved object as its value. You can change any value of your `data` object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):\n\n![Capture d’écran 2025-04-07 à 05 56 10](https://github.com/user-attachments/assets/42ca7c9e-5cd3-4eff-9711-1e78755c9046)\n\nAs you can see, all values ​​have been changed/overwritten by the values ​​provided via the header. \n\n## Impact\nThe impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.\n\n## Credits\n- Rachid Allam (zhero;)\n- Yasser Allam (inzo_)", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "react-router" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0" }, { "fixed": "7.5.2" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 7.5.1" } } ], "references": [ { "type": "WEB", "url": "https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43865" }, { "type": "WEB", "url": "https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111" }, { "type": "PACKAGE", "url": "https://github.com/remix-run/react-router" }, { "type": "WEB", "url": "https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87" } ], "database_specific": { "cwe_ids": [ "CWE-345" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-04-24T16:31:32Z", "nvd_published_at": "2025-04-25T01:15:43Z" } }