CVE-2025-43864

Name of the Vulnerable Software and Affected Versions React Router versions 7.2.0 through 7.5.2

Description The issue allows an attacker to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application. The vulnerable header is X-React-Router-SPA-Mode.

Recommendations To resolve the issue, update React Router to version 7.5.2 or later. As a temporary workaround, consider disabling the use of the X-React-Router-SPA-Mode header in React Router to enhance security. Restrict access to the vulnerable API endpoints to minimize the risk of exploitation. Avoid using the X-React-Router-SPA-Mode header in requests to affected pages until the issue is resolved.