Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-43865

React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. This issue has been patched in version 7.5.2.

Published

2025-04-25T01:15:43.270

Last Modified

2025-04-29T13:52:28.490

Status

Awaiting Analysis

Source

[email protected]

Severity

CVSSv3.1: 8.2 (HIGH)

Weaknesses

Type: Secondary
CWE-345

Affected Vendors & Products

References

https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87 ([email protected])
https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111 ([email protected])
https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j ([email protected])