CVE-2025-43864

Published Apr 25, 2025

Last updated a day ago

React Router

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-43864 affects React Router, a routing library for React applications. Specifically, versions 7.2.0 up to 7.5.1 are vulnerable. It is possible to force an application to switch to SPA (Single Page Application) mode by adding a specific header (`X-React-Router-SPA-Mode`) to the request. If an application using server-side rendering (SSR) is forced into SPA mode, it can cause an error that corrupts the page. Furthermore, if a caching system is in place, this error response can be cached, leading to a cache poisoning issue that impacts the application's availability. The vulnerability is fixed in version 7.5.2 of React Router.

Description: React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application. This issue has been patched in version 7.5.2.
Source: security-advisories@github.com
NVD status: Received

Risk scores

CVSS 3.1

Type: Secondary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH

Weaknesses

security-advisories@github.com: CWE-755

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 36

Overview

AI description

Risk scores

CVSS 3.1

Weaknesses

Social media

References