-
Notifications
You must be signed in to change notification settings - Fork 103
Commit afaa1e2
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
chore(deps): update dependency react-router to v7.5.2 [security] (main) (#7271)
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [react-router](https://redirect.github.com/remix-run/react-router)
([source](https://redirect.github.com/remix-run/react-router/tree/HEAD/packages/react-router))
| [`7.5.1` ->
`7.5.2`](https://renovatebot.com/diffs/npm/react-router/7.5.1/7.5.2) |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[CVE-2025-43864](https://redirect.github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322)
## Summary
After some research, it turns out that it is possible to force an
application to switch to SPA mode by adding a header to the request. If
the application uses SSR and is forced to switch to SPA, this causes an
error that completely corrupts the page. If a cache system is in place,
this allows the response containing the error to be cached, resulting in
a cache poisoning that strongly impacts the availability of the
application.
## Details
The vulnerable header is `X-React-Router-SPA-Mode`; adding it to a
request sent to a page/endpoint using a loader throws an error. Here is
[the vulnerable
code](https://redirect.github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407)
:
<img width="672" alt="Capture d’écran 2025-04-07 à 08 28 20"
src="https://github.com/user-attachments/assets/0a0e9c41-70fd-4dba-9061-892dd6797291"
/>
To use the header, React-router must be used in Framework mode, and for
the attack to be possible the target page must use a loader.
## Steps to reproduce
Versions used for our PoC:
- "@​react-router/node": "^7.5.0",
- "@​react-router/serve": "^7.5.0",
- "react": "^19.0.0"
- "react-dom": "^19.0.0"
- "react-router": "^7.5.0"
1. Install React-Router with its default configuration in Framework mode
(https://reactrouter.com/start/framework/installation)
2. Add a simple page using a loader (example: `routes/ssr`)
3. Send a request to the endpoint using the loader (`/ssr` in our case)
adding the following header:
```
X-React-Router-SPA-Mode: yes
```
Notice the difference between a request with and without the header;
**Normal request**
**With the header**
## Impact
If a system cache is in place, it is possible to poison the response by
completely altering its content (*by an error message*), strongly
impacting its availability, making the latter impractical via a
cache-poisoning attack.
## Credits
- Rachid Allam (zhero;)
- Yasser Allam (inzo_)
####
[CVE-2025-43865](https://redirect.github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j)
## Summary
After some research, it turns out that it's possible to modify
pre-rendered data by adding a header to the request. This allows to
completely spoof its contents and modify all the values of the data
object passed to the HTML. Latest versions are impacted.
## Details
The vulnerable header is `X-React-Router-Prerender-Data`, a specific
JSON object must be passed to it in order for the spoofing to be
successful as we will see shortly. Here is [the vulnerable
code](https://redirect.github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87)
:
<img width="776" alt="Capture d’écran 2025-04-07 à 05 36 58"
src="https://github.com/user-attachments/assets/c95b0b33-15ce-4d30-9f5e-b10525dd6ab4"
/>
To use the header, React-router must be used in Framework mode, and for
the attack to be possible the target page must use a loader.
## Steps to reproduce
Versions used for our PoC:
- "@​react-router/node": "^7.5.0",
- "@​react-router/serve": "^7.5.0",
- "react": "^19.0.0"
- "react-dom": "^19.0.0"
- "react-router": "^7.5.0"
1. Install React-Router with its default configuration in Framework mode
(https://reactrouter.com/start/framework/installation)
2. Add a simple page using a loader (example: `routes/ssr`)
3. Access your page (*which uses the loader*) by suffixing it with
`.data`. In our case the page is called `/ssr`:
We access it by adding the suffix `.data` and retrieve the data object,
needed for the header:
4. Send your request by adding the `X-React-Router-Prerender-Data`
header with the previously retrieved object as its value. You can change
any value of your `data` object (do not touch the other values, the
latter being necessary for the object to be processed correctly and not
throw an error):
As you can see, all values have been changed/overwritten by the values
provided via the header.
## Impact
The impact is significant, if a cache system is in place, it is possible
to poison a response in which all of the data transmitted via a loader
would be altered by an attacker allowing him to take control of the
content of the page and modify it as he wishes via a cache-poisoning
attack. This can lead to several types of attacks including potential
stored XSS depending on the context in which the data is injected and/or
how the data is used on the client-side.
## Credits
- Rachid Allam (zhero;)
- Yasser Allam (inzo_)
---
### Release Notes
<details>
<summary>remix-run/react-router (react-router)</summary>
###
[`v7.5.2`](https://redirect.github.com/remix-run/react-router/blob/HEAD/packages/react-router/CHANGELOG.md#752)
[Compare
Source](https://redirect.github.com/remix-run/react-router/compare/[email protected]@7.5.2)
##### Patch Changes
- Update Single Fetch to also handle the 204 redirects used in `?_data`
requests in Remix v2
([#​13364](https://redirect.github.com/remix-run/react-router/pull/13364))
- This allows applications to return a redirect on `.data` requests from
outside the scope of React Router (i.e., an `express`/`hono` middleware)
- 1 parent e733f36 commit afaa1e2Copy full SHA for afaa1e2
File tree
Expand file treeCollapse file tree
2 files changed
+5
-5
lines changedFilter options
- examples/vite-ts
Expand file treeCollapse file tree
2 files changed
+5
-5
lines changedexamples/vite-ts/package-lock.json
Copy file name to clipboardExpand all lines: examples/vite-ts/package-lock.json+4-4Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
examples/vite-ts/package.json
Copy file name to clipboardExpand all lines: examples/vite-ts/package.json+1-1Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
23 | | - | |
| 23 | + | |
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
| |||
0 commit comments