Improper Handling of Exceptional Conditions Affecting react-router package, versions >=7.2.0 <7.5.2


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.06% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-REACTROUTER-9804420
  • published25 Apr 2025
  • disclosed24 Apr 2025
  • creditRachid Allam, Yasser Allam

Introduced: 24 Apr 2025

CVE-2025-43864  (opens in a new tab)
CWE-755  (opens in a new tab)

How to fix?

Upgrade react-router to version 7.5.2 or higher.

Overview

Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions via the X-React-Router-SPA-Mode header. An attacker can disrupt the availability of the application by sending a crafted request that forces the server to switch to SPA mode, leading to an error that corrupts the page content.

Note:

This is only exploitable if the application is running in Framework mode, which is the default configuration, it has a caching system in place and the target page utilizes a loader.

CVSS Base Scores

version 4.0
version 3.1