CVE-2025-43865

HIGH

NPM React-router < 7.5.2 - Data Authenticity Bypass

Title source: rule

Description

React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. This issue has been patched in version 7.5.2.

Exploits (1)

nomisec STUB

by pouriam23 · poc

https://github.com/pouriam23/Pre-render-data-spoofing-on-React-Router-framework-mode-CVE-2025-43865

View Code ZIP pw:eip

References (3)

[Various Sources] https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87

[Patch] https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111

[Vendor Advisory] https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j

Scores

CVSS v3 8.2

EPSS 0.0029

EPSS Percentile 52.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Details

CWE

CWE-345

Status published

Products (2)

npm/react-router 7.0.0-pre.0 - 7.5.2npm

remix-run/react-router >= 7.0, < 7.5.2

Published Apr 25, 2025

Tracked Since Feb 18, 2026