ghsa-cpj6-fhp6-mr6j
Vulnerability from github
Published
2025-04-24 16:31
Modified
2025-04-25 14:34
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Summary
React Router allows pre-render data spoofing on React-Router framework mode
Details

Summary

After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. Latest versions are impacted.

Details

The vulnerable header is X-React-Router-Prerender-Data, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is the vulnerable code :

Capture d’écran 2025-04-07 à 05 36 58

To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.

Steps to reproduce

Versions used for our PoC: - "@react-router/node": "^7.5.0", - "@react-router/serve": "^7.5.0", - "react": "^19.0.0" - "react-dom": "^19.0.0" - "react-router": "^7.5.0"

  1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)
  2. Add a simple page using a loader (example: routes/ssr)
  3. Access your page (which uses the loader) by suffixing it with .data. In our case the page is called /ssr:

image

We access it by adding the suffix .data and retrieve the data object, needed for the header:

image

  1. Send your request by adding the X-React-Router-Prerender-Data header with the previously retrieved object as its value. You can change any value of your data object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):

Capture d’écran 2025-04-07 à 05 56 10

As you can see, all values ​​have been changed/overwritten by the values ​​provided via the header.

Impact

The impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.

Credits

  • Rachid Allam (zhero;)
  • Yasser Allam (inzo_)
Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.5.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "react-router"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0"
            },
            {
              "fixed": "7.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-43865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-24T16:31:32Z",
    "nvd_published_at": "2025-04-25T01:15:43Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nAfter some research, it turns out that it\u0027s possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values \u200b\u200bof the data object passed to the HTML. Latest versions are impacted.\n\n## Details\nThe vulnerable header is `X-React-Router-Prerender-Data`, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is [the vulnerable code](https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87) :\n\n\u003cimg width=\"776\" alt=\"Capture d\u2019e\u0301cran 2025-04-07 a\u0300 05 36 58\" src=\"https://github.com/user-attachments/assets/c95b0b33-15ce-4d30-9f5e-b10525dd6ab4\" /\u003e\n\nTo use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.\n\n## Steps to reproduce \nVersions used for our PoC: \n- \"@react-router/node\": \"^7.5.0\",\n- \"@react-router/serve\": \"^7.5.0\",\n- \"react\": \"^19.0.0\"\n- \"react-dom\": \"^19.0.0\"\n- \"react-router\": \"^7.5.0\"\n\n1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)\n2. Add a simple page using a loader (example: `routes/ssr`)\n3. Access your page (*which uses the loader*) by suffixing it with `.data`. In our case the page is called `/ssr`:\n\n![image](https://github.com/user-attachments/assets/d7d04e86-c549-4f4a-9200-2d1b6ac96aad)\n\nWe access it by adding the suffix `.data` and retrieve the data object, needed for the header:\n\n![image](https://github.com/user-attachments/assets/ea0ca23e-6ba5-49c1-980d-1b04a05acf56)\n\n4. Send your request by adding the `X-React-Router-Prerender-Data` header with the previously retrieved object as its value. You can change any value of your `data` object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):\n\n![Capture d\u2019e\u0301cran 2025-04-07 a\u0300 05 56 10](https://github.com/user-attachments/assets/42ca7c9e-5cd3-4eff-9711-1e78755c9046)\n\nAs you can see, all values \u200b\u200bhave been changed/overwritten by the values \u200b\u200bprovided via the header. \n\n## Impact\nThe impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.\n\n## Credits\n- Rachid Allam (zhero;)\n- Yasser Allam (inzo_)",
  "id": "GHSA-cpj6-fhp6-mr6j",
  "modified": "2025-04-25T14:34:15Z",
  "published": "2025-04-24T16:31:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43865"
    },
    {
      "type": "WEB",
      "url": "https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/remix-run/react-router"
    },
    {
      "type": "WEB",
      "url": "https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "React Router allows pre-render data spoofing on React-Router framework mode"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.