React Router Vulnerabilities Allow Attackers to Spoof Content and Alter Values - #CVE-2025-43864
Two high-severity vulnerabilities, CVE-2025-43864 and CVE-2025-43865, have been discovered in React Router versions 7.0 through 7.5.1, affecting applications using Framework mode with loaders. The first vulnerability allows attackers to force applications into SPA mode, causing rendering errors and enabling cache poisoning, while the second exploits pre-rendered data manipulation, potentially leading to stored XSS attacks. Both flaws have significant impact on application availability and integrity, with CVSS scores of 7.5 and 8.2 respectively. React Router maintainers have addressed these issues in version 7.5.2, urging users to update immediately. These vulnerabilities highlight the critical need for robust header validation in web frameworks, especially those utilizing caching mechanisms, and emphasize the importance of data integrity in server-side rendering frameworks.