CVE-2025-43865

Name of the Vulnerable Software and Affected Versions React Router versions 7.0 through 7.5.1

Description The issue allows an attacker to modify pre-rendered data by adding a header to the request, potentially leading to various exploits, including stored XSS. This is possible due to a vulnerability in React Router, which is a router for React. The vulnerability can be exploited by adding a header to the request, allowing an attacker to completely spoof the contents and modify all the values of the data object passed to the HTML.

Recommendations For React Router versions 7.0 through 7.5.1, update to version 7.5.2 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable module or disabling the ability to add headers to requests until a patch is available. Avoid using the vulnerable versions of React Router until the issue is resolved.