CVE-2025-43864 React Router allows a DoS via cache poisoning by forcing SPA mode

React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the...

react-router 数据伪造问题漏洞

react-router is a declarative routing for React open-sourced by Remix. A data forgery issue vulnerability exists in versions of react-router prior to 7.5.2, which stems from the possible modification of pre-rendered data by adding a request header...

react-router 安全漏洞

react-router is a declarative routing for React open-sourced by Remix. A security vulnerability exists in react-router versions prior to 7.2.0 through 7.5.2, which stems from potentially forcing an application to switch to SPA mode by adding a request header, which could lead to cache poisoning...

10xanswers (>=1.1.0 <=1.1.16), 31g-form-parser (=1.0.107) +3312 more potentially affected by CVE-2025-43865 via react-router (>=7.0.0-pre.0 <=7.5.1)

react-router NPM version =7.0.0-pre.0, =1.1.0, =1.0.0, =0.0.6, =0.0.1, =0.1.0, =3.1.0-beta.1, =1.0.0, =0.0.2, =1.0.0, =1.0.1, =5.0.8 and more Source cves: CVE-2025-43865 Source advisory: OSV:GHSA-CPJ6-FHP6-MR6J...

GHSA-CPJ6-FHP6-MR6J React Router allows pre-render data spoofing on React-Router framework mode

Summary After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. Latest versions are impacted. Details The vulnerable header i...

React Router allows pre-render data spoofing on React-Router framework mode

Summary After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. Latest versions are impacted. Details The vulnerable header i...

@accounter/client (>=0.0.4-alpha-20250218215417-09067250dfe59d52ff05e9ab3ed5ed3c462043f4 <=0.0.5-alpha-20250505082538-38c58bebc71a033977733a447a842c7e011f7c8f), @boxyhq/react-ui (=3.4.0) +70 more potentially affected by CVE-2025-43864 via react-router (>=7.2.0 <=7.5.1)

react-router NPM version =7.2.0, =0.0.4-alpha-20250218215417-09067250dfe59d52ff05e9ab3ed5ed3c462043f4, =0.2.3, =15.2.2, =0.0.1-ssmch, =0.0.1-dev.8, =0.0.1-0, =0.0.1-alpha.6, =16.0.29, =0.0.2, =13.34.0, =0.3.4, =13.33.0, =0.0.11, =0.2.13 and more Source cves: CVE-2025-43864 Source advisory:...

GHSA-F46R-RW29-R322 React Router allows a DoS via cache poisoning by forcing SPA mode

Summary After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this...

React Router allows a DoS via cache poisoning by forcing SPA mode

Summary After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this...

PT-2025-17868

Name of the Vulnerable Software and Affected Versions React Router versions 7.0 through 7.5.1 Description The issue allows an attacker to modify pre-rendered data by adding a header to the request, potentially leading to various exploits, including stored XSS. This is possible due to a...

PT-2025-17867

Name of the Vulnerable Software and Affected Versions React Router versions 7.2.0 through 7.5.2 Description The issue allows an attacker to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an erro...

Malicious code in @sporta-technology/rn-components.text-input (npm)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in @sas-dvr/internal-va-react-core (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2025-3303 Malicious code in @sas-dvr/internal-va-react-core (npm)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in react-x-twitter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1675100a9b4622daef2a3e8d439f1baf8428c60cd4dad9b6fe09ef615ce1e645 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3274 Malicious code in react-x-twitter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1675100a9b4622daef2a3e8d439f1baf8428c60cd4dad9b6fe09ef615ce1e645 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in talsec-react-native-security-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 68ab8661116d9ec30b2582ba0a9547684e8ad10024bae79f2b4094e5ea0937d3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3262 Malicious code in talsec-react-native-security-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 68ab8661116d9ec30b2582ba0a9547684e8ad10024bae79f2b4094e5ea0937d3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2025-32026 Element Web could load a malicious instance of Element Call leaking media encryption keys

Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used f...

Malicious code in arno-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 09b3072a4a914ee5e85596d8f9a01d42ed0596c24aa05bc664e85067c41cbd3a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...