4881 matches found
CVE-2025-43865 React Router allows pre-render data spoofing on React-Router framework mode
React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. This issue has bee...
CVE-2025-43865 React Router allows pre-render data spoofing on React-Router framework mode
React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. This issue has bee...
CVE-2025-43864
CVE-2025-43864: React Router (versions 7.2.0–7.5.1) allows forcing SPA mode by a request header, which on SSR apps can trigger a page-corrupting error. If a cache stores the error response, this enables cache poisoning and degrades availability. Patch: upgrade to React Router 7.5.2 (or later).
CVE-2025-43864 React Router allows a DoS via cache poisoning by forcing SPA mode
React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the...
CVE-2025-43864 React Router allows a DoS via cache poisoning by forcing SPA mode
React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the...
CVE-2025-43864 React Router allows a DoS via cache poisoning by forcing SPA mode
React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the...
react-router 数据伪造问题漏洞
react-router is a declarative routing for React open-sourced by Remix. A data forgery issue vulnerability exists in versions of react-router prior to 7.5.2, which stems from the possible modification of pre-rendered data by adding a request header...
react-router 安全漏洞
react-router is a declarative routing for React open-sourced by Remix. A security vulnerability exists in react-router versions prior to 7.2.0 through 7.5.2, which stems from potentially forcing an application to switch to SPA mode by adding a request header, which could lead to cache poisoning...
10xanswers (>=1.1.0 <=1.1.16), 31g-form-parser (=1.0.107) +3168 more potentially affected by CVE-2025-43865 via react-router (>=7.0.0-pre.0 <=7.5.1)
react-router NPM version =7.0.0-pre.0, =1.1.0, =1.0.0, =0.0.6, =0.0.1, =0.1.0, =3.1.0-beta.1, =1.0.0, =0.0.2, =3.1.61, =3.2.206 and more Source cves: CVE-2025-43865 Source advisory: OSV:GHSA-CPJ6-FHP6-MR6J...
React Router allows pre-render data spoofing on React-Router framework mode
Summary After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted. Details The vulnerable header i...
GHSA-CPJ6-FHP6-MR6J React Router allows pre-render data spoofing on React-Router framework mode
Summary After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted. Details The vulnerable header i...
React Router allows a DoS via cache poisoning by forcing SPA mode
Summary After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this...
GHSA-F46R-RW29-R322 React Router allows a DoS via cache poisoning by forcing SPA mode
Summary After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this...
@accounter/client (>=0.0.4-alpha-20250218215417-09067250dfe59d52ff05e9ab3ed5ed3c462043f4 <=0.0.5-alpha-20250505082538-38c58bebc71a033977733a447a842c7e011f7c8f), @boxyhq/react-ui (=3.4.0) +69 more potentially affected by CVE-2025-43864 via react-router (>=7.2.0 <=7.5.1)
react-router NPM version =7.2.0, =0.0.4-alpha-20250218215417-09067250dfe59d52ff05e9ab3ed5ed3c462043f4, =0.2.3, =15.2.2, =0.0.1-ssmch, =0.0.1-dev.8, =0.0.1-0, =0.0.1-alpha.6, =16.0.29, =0.0.2, =13.34.0, =0.3.4, =13.33.0, =0.0.11, =0.2.8 and more Source cves: CVE-2025-43864 Source advisory:...
PT-2025-17867
Name of the Vulnerable Software and Affected Versions React Router versions 7.2.0 through 7.5.2 Description The issue allows an attacker to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an erro...
PT-2025-17868
Name of the Vulnerable Software and Affected Versions React Router versions 7.0 through 7.5.1 Description The issue allows an attacker to modify pre-rendered data by adding a header to the request, potentially leading to various exploits, including stored XSS. This is possible due to a...
Malicious code in @sporta-technology/rn-components.text-input (npm)
--- -= Per source details. Do not edit below this line.=-...
MAL-2025-3303 Malicious code in @sas-dvr/internal-va-react-core (npm)
--- -= Per source details. Do not edit below this line.=-...
Malicious code in @sas-dvr/internal-va-react-core (npm)
--- -= Per source details. Do not edit below this line.=-...
Malicious code in react-x-twitter (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1675100a9b4622daef2a3e8d439f1baf8428c60cd4dad9b6fe09ef615ce1e645 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...