Matt Brophy

2 exploits Active since Apr 2025

CVE-2025-43864 WRITEUP HIGH WRITEUP

NPM React-router < 7.5.2 - Improper Exception Handling

React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application. This issue has been patched in version 7.5.2.

CVSS 7.5

View Code

CVE-2025-43865 WRITEUP HIGH WRITEUP

NPM React-router < 7.5.2 - Data Authenticity Bypass

React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. This issue has been patched in version 7.5.2.

CVSS 8.2

View Code