Improper Handling of Exceptional Conditions Affecting @react-router/dev package, versions >=7.2.0 <7.5.2


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.05% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-REACTROUTERDEV-9804421
  • published25 Apr 2025
  • disclosed24 Apr 2025
  • creditRachid Allam, Yasser Allam

Introduced: 24 Apr 2025

NewCVE-2025-43864  (opens in a new tab)
CWE-755  (opens in a new tab)

How to fix?

Upgrade @react-router/dev to version 7.5.2 or higher.

Overview

@react-router/dev is a Dev tools and CLI for React Router

Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions via the X-React-Router-SPA-Mode header. An attacker can disrupt the availability of the application by sending a crafted request that forces the server to switch to SPA mode, leading to an error that corrupts the page content.

Note:

This is only exploitable if the application is running in Framework mode, which is the default configuration, it has a caching system in place and the target page utilizes a loader.

CVSS Base Scores

version 4.0
version 3.1