Insufficient Verification of Data Authenticity Affecting @react-router/dev package, versions >=7.0.0 <7.5.2


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.02% (3rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-REACTROUTERDEV-9804427
  • published25 Apr 2025
  • disclosed24 Apr 2025
  • creditRachid Allam, Yasser Allam

Introduced: 24 Apr 2025

NewCVE-2025-43865  (opens in a new tab)
CWE-345  (opens in a new tab)

How to fix?

Upgrade @react-router/dev to version 7.5.2 or higher.

Overview

@react-router/dev is a Dev tools and CLI for React Router

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity through the X-React-Router-Prerender-Data header. An attacker can manipulate the pre-rendered data by injecting a malicious JSON object into this header, potentially leading to data spoofing and cache poisoning.

Note:

This is only exploitable if the application is running in Framework mode, which is the default configuration, it has a caching system in place and the target page utilizes a loader.

CVSS Base Scores

version 4.0
version 3.1