Insufficient Verification of Data Authenticity Affecting react-router package, versions >=7.0.0 <7.5.2


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.04% (10th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-REACTROUTER-9804426
  • published25 Apr 2025
  • disclosed24 Apr 2025
  • creditRachid Allam, Yasser Allam

Introduced: 24 Apr 2025

CVE-2025-43865  (opens in a new tab)
CWE-345  (opens in a new tab)

How to fix?

Upgrade react-router to version 7.5.2 or higher.

Overview

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity through the X-React-Router-Prerender-Data header. An attacker can manipulate the pre-rendered data by injecting a malicious JSON object into this header, potentially leading to data spoofing and cache poisoning.

Note:

This is only exploitable if the application is running in Framework mode, which is the default configuration, it has a caching system in place and the target page utilizes a loader.

CVSS Base Scores

version 4.0
version 3.1