CVE-2025-43865 (GCVE-0-2025-43865)
Vulnerability from cvelistv5 – Published: 2025-04-25 00:18 – Updated: 2025-04-25 15:16
VLAI?
Title
React Router allows pre-render data spoofing on React-Router framework mode
Summary
React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. This issue has been patched in version 7.5.2.
Severity ?
8.2 (High)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| remix-run | react-router |
Affected:
>= 7.0, < 7.5.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43865",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T15:11:14.012087Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T15:16:00.202Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "react-router",
"vendor": "remix-run",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.0, \u003c 7.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it\u0027s possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values \u200b\u200bof the data object passed to the HTML. This issue has been patched in version 7.5.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T00:18:53.222Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j"
},
{
"name": "https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111"
},
{
"name": "https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87"
}
],
"source": {
"advisory": "GHSA-cpj6-fhp6-mr6j",
"discovery": "UNKNOWN"
},
"title": "React Router allows pre-render data spoofing on React-Router framework mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-43865",
"datePublished": "2025-04-25T00:18:53.222Z",
"dateReserved": "2025-04-17T20:07:08.556Z",
"dateUpdated": "2025-04-25T15:16:00.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-43865\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-25T15:11:14.012087Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-25T15:12:54.431Z\"}}], \"cna\": {\"title\": \"React Router allows pre-render data spoofing on React-Router framework mode\", \"source\": {\"advisory\": \"GHSA-cpj6-fhp6-mr6j\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"remix-run\", \"product\": \"react-router\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 7.0, \u003c 7.5.2\"}]}], \"references\": [{\"url\": \"https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j\", \"name\": \"https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111\", \"name\": \"https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87\", \"name\": \"https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it\u0027s possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values \\u200b\\u200bof the data object passed to the HTML. This issue has been patched in version 7.5.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-345\", \"description\": \"CWE-345: Insufficient Verification of Data Authenticity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-04-25T00:18:53.222Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-43865\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-25T15:16:00.202Z\", \"dateReserved\": \"2025-04-17T20:07:08.556Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-04-25T00:18:53.222Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
CERTFR-2026-AVI-0054
Vulnerability from certfr_avis - Published: 2026-01-16 - Updated: 2026-01-16
De multiples vulnérabilités ont été découvertes dans Centreon Infra Monitoring. Elles permettent à un attaquant de provoquer un déni de service à distance et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Centreon | Infra Monitoring | Centreon Infra Monitoring versions 25.10.x sans la dernière mise à jour |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Centreon Infra Monitoring versions 25.10.x sans la derni\u00e8re mise \u00e0 jour",
"product": {
"name": "Infra Monitoring",
"vendor": {
"name": "Centreon",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-43864",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43864"
},
{
"name": "CVE-2025-43865",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43865"
}
],
"initial_release_date": "2026-01-16T00:00:00",
"last_revision_date": "2026-01-16T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0054",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-16T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Centreon Infra Monitoring. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Centreon Infra Monitoring",
"vendor_advisories": [
{
"published_at": "2026-01-15",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-43865-cve-2025-43864-centreon-25-10-it-business-editions-5345",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-43865-cve-2025-43864-centreon-25-10-it-business-editions-5345"
}
]
}
CERTFR-2025-AVI-1127
Vulnerability from certfr_avis - Published: 2025-12-19 - Updated: 2025-12-19
De multiples vulnérabilités ont été découvertes dans Centreon Web. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Centreon web versions 25.10.x sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-43864",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43864"
},
{
"name": "CVE-2025-43865",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43865"
}
],
"initial_release_date": "2025-12-19T00:00:00",
"last_revision_date": "2025-12-19T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1127",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Centreon Web. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Centreon Web",
"vendor_advisories": [
{
"published_at": "2025-12-18",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon centreon-web-high-severity-5307",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/centreon-web-high-severity-5307"
}
]
}
FKIE_CVE-2025-43865
Vulnerability from fkie_nvd - Published: 2025-04-25 01:15 - Updated: 2025-04-29 13:52
Severity ?
Summary
React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. This issue has been patched in version 7.5.2.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it\u0027s possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values \u200b\u200bof the data object passed to the HTML. This issue has been patched in version 7.5.2."
},
{
"lang": "es",
"value": "React Router es un enrutador para React. En versiones de la rama 7.0 anteriores a la 7.5.2, es posible modificar datos pre-renderizados a\u00f1adiendo un encabezado a la solicitud. Esto permite falsificar completamente su contenido y modificar todos los valores del objeto de datos pasado al HTML. Este problema se ha corregido en la versi\u00f3n 7.5.2."
}
],
"id": "CVE-2025-43865",
"lastModified": "2025-04-29T13:52:28.490",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-04-25T01:15:43.270",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-CPJ6-FHP6-MR6J
Vulnerability from github – Published: 2025-04-24 16:31 – Updated: 2026-01-16 22:01
VLAI?
Summary
React Router allows pre-render data spoofing on React-Router framework mode
Details
Summary
After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted.
Details
The vulnerable header is X-React-Router-Prerender-Data, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is the vulnerable code :
To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.
Steps to reproduce
Versions used for our PoC: - "@react-router/node": "^7.5.0", - "@react-router/serve": "^7.5.0", - "react": "^19.0.0" - "react-dom": "^19.0.0" - "react-router": "^7.5.0"
- Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)
- Add a simple page using a loader (example:
routes/ssr) - Access your page (which uses the loader) by suffixing it with
.data. In our case the page is called/ssr:
We access it by adding the suffix .data and retrieve the data object, needed for the header:
- Send your request by adding the
X-React-Router-Prerender-Dataheader with the previously retrieved object as its value. You can change any value of yourdataobject (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):
As you can see, all values have been changed/overwritten by the values provided via the header.
Impact
The impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.
Credits
- Rachid Allam (zhero;)
- Yasser Allam (inzo_)
Severity ?
8.2 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.5.1"
},
"package": {
"ecosystem": "npm",
"name": "react-router"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0-pre.0"
},
{
"fixed": "7.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43865"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-24T16:31:32Z",
"nvd_published_at": "2025-04-25T01:15:43Z",
"severity": "HIGH"
},
"details": "## Summary\nAfter some research, it turns out that it\u0027s possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values \u200b\u200bof the data object passed to the HTML. Latest versions are impacted.\n\n## Details\nThe vulnerable header is `X-React-Router-Prerender-Data`, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is [the vulnerable code](https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87) :\n\n\u003cimg width=\"776\" alt=\"Capture d\u2019e\u0301cran 2025-04-07 a\u0300 05 36 58\" src=\"https://github.com/user-attachments/assets/c95b0b33-15ce-4d30-9f5e-b10525dd6ab4\" /\u003e\n\nTo use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.\n\n## Steps to reproduce \nVersions used for our PoC: \n- \"@react-router/node\": \"^7.5.0\",\n- \"@react-router/serve\": \"^7.5.0\",\n- \"react\": \"^19.0.0\"\n- \"react-dom\": \"^19.0.0\"\n- \"react-router\": \"^7.5.0\"\n\n1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)\n2. Add a simple page using a loader (example: `routes/ssr`)\n3. Access your page (*which uses the loader*) by suffixing it with `.data`. In our case the page is called `/ssr`:\n\n\n\nWe access it by adding the suffix `.data` and retrieve the data object, needed for the header:\n\n\n\n4. Send your request by adding the `X-React-Router-Prerender-Data` header with the previously retrieved object as its value. You can change any value of your `data` object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):\n\n\n\nAs you can see, all values \u200b\u200bhave been changed/overwritten by the values \u200b\u200bprovided via the header. \n\n## Impact\nThe impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.\n\n## Credits\n- Rachid Allam (zhero;)\n- Yasser Allam (inzo_)",
"id": "GHSA-cpj6-fhp6-mr6j",
"modified": "2026-01-16T22:01:19Z",
"published": "2025-04-24T16:31:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43865"
},
{
"type": "WEB",
"url": "https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111"
},
{
"type": "PACKAGE",
"url": "https://github.com/remix-run/react-router"
},
{
"type": "WEB",
"url": "https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "React Router allows pre-render data spoofing on React-Router framework mode"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…