Skip to content

fix(deps): update dependency react-router to v7.5.2 [security] #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency react-router to v7.5.2 [security] #214

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 25, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
react-router (source) 7.3.0 -> 7.5.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-43864

Summary

After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application.

Details

The vulnerable header is X-React-Router-SPA-Mode; adding it to a request sent to a page/endpoint using a loader throws an error. Here is the vulnerable code :

Capture d’écran 2025-04-07 à 08 28 20

To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.

Steps to reproduce

Versions used for our PoC:

  • "@​react-router/node": "^7.5.0",
  • "@​react-router/serve": "^7.5.0",
  • "react": "^19.0.0"
  • "react-dom": "^19.0.0"
  • "react-router": "^7.5.0"
  1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)
  2. Add a simple page using a loader (example: routes/ssr)

image

  1. Send a request to the endpoint using the loader (/ssr in our case) adding the following header:
X-React-Router-SPA-Mode: yes

Notice the difference between a request with and without the header;

Normal request
Capture d’écran 2025-04-07 à 08 36 27

With the header
Capture d’écran 2025-04-07 à 08 37 01
image

Impact

If a system cache is in place, it is possible to poison the response by completely altering its content (by an error message), strongly impacting its availability, making the latter impractical via a cache-poisoning attack.

Credits

  • Rachid Allam (zhero;)
  • Yasser Allam (inzo_)

CVE-2025-43865

Summary

After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. Latest versions are impacted.

Details

The vulnerable header is X-React-Router-Prerender-Data, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is the vulnerable code :

Capture d’écran 2025-04-07 à 05 36 58

To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.

Steps to reproduce

Versions used for our PoC:

  • "@​react-router/node": "^7.5.0",
  • "@​react-router/serve": "^7.5.0",
  • "react": "^19.0.0"
  • "react-dom": "^19.0.0"
  • "react-router": "^7.5.0"
  1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)
  2. Add a simple page using a loader (example: routes/ssr)
  3. Access your page (which uses the loader) by suffixing it with .data. In our case the page is called /ssr:

image

We access it by adding the suffix .data and retrieve the data object, needed for the header:

image

  1. Send your request by adding the X-React-Router-Prerender-Data header with the previously retrieved object as its value. You can change any value of your data object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):

Capture d’écran 2025-04-07 à 05 56 10

As you can see, all values ​​have been changed/overwritten by the values ​​provided via the header.

Impact

The impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.

Credits

  • Rachid Allam (zhero;)
  • Yasser Allam (inzo_)

Release Notes

remix-run/react-router (react-router)

v7.5.2

Compare Source

Patch Changes

  • Update Single Fetch to also handle the 204 redirects used in ?_data requests in Remix v2 (#​13364)

    • This allows applications to return a redirect on .data requests from outside the scope of React Router (i.e., an express/hono middleware)
    • ⚠️ Please note that doing so relies on implementation details that are subject to change without a SemVer major release
    • This is primarily done to ease upgrading to Single Fetch for existing Remix v2 applications, but the recommended way to handle this is redirecting from a route middleware

  • Adjust approach for Prerendering/SPA Mode via headers (#​13453)

v7.5.1

Compare Source

Patch Changes

  • Fix single fetch bug where no revalidation request would be made when navigating upwards to a reused parent route (#​13253)

  • When using the object-based route.lazy API, the HydrateFallback and hydrateFallbackElement properties are now skipped when lazy loading routes after hydration. (#​13376)

    If you move the code for these properties into a separate file, you can use this optimization to avoid downloading unused hydration code. For example:

    createBrowserRouter([
  {
    path: "/show/:showId",
    lazy: {
      loader: async () => (await import("./show.loader.js")).loader,
      Component: async () => (await import("./show.component.js")).Component,
      HydrateFallback: async () =>
        (await import("./show.hydrate-fallback.js")).HydrateFallback,
    },
  },
]);

  • Properly revalidate prerendered paths when param values change (#​13380)

  • UNSTABLE: Add a new unstable_runClientMiddleware argument to dataStrategy to enable middleware execution in custom dataStrategy implementations (#​13395)

  • UNSTABLE: Add better error messaging when getLoadContext is not updated to return a Map" (#​13242)

  • Do not automatically add null to staticHandler.query() context.loaderData if routes do not have loaders (#​13223)

    • This was a Remix v2 implementation detail inadvertently left in for React Router v7
    • Now that we allow returning undefined from loaders, our prior check of loaderData[routeId] !== undefined was no longer sufficient and was changed to a routeId in loaderData check - these null values can cause issues for this new check
    • ⚠️ This could be a "breaking bug fix" for you if you are doing manual SSR with createStaticHandler()/<StaticRouterProvider>, and using context.loaderData to control <RouterProvider> hydration behavior on the client

  • Fix prerendering when a loader returns a redirect (#​13365)

  • UNSTABLE: Update context type for LoaderFunctionArgs/ActionFunctionArgs when middleware is enabled (#​13381)

  • Add support for the new unstable_shouldCallHandler/unstable_shouldRevalidateArgs APIs in dataStrategy (#​13253)

v7.5.0

Compare Source

Minor Changes

  • Add granular object-based API for route.lazy to support lazy loading of individual route properties, for example: (#​13294)

    createBrowserRouter([
  {
    path: "/show/:showId",
    lazy: {
      loader: async () => (await import("./show.loader.js")).loader,
      action: async () => (await import("./show.action.js")).action,
      Component: async () => (await import("./show.component.js")).Component,
    },
  },
]);

    Breaking change for route.unstable_lazyMiddleware consumers

    The route.unstable_lazyMiddleware property is no longer supported. If you want to lazily load middleware, you must use the new object-based route.lazy API with route.lazy.unstable_middleware, for example:

    createBrowserRouter([
  {
    path: "/show/:showId",
    lazy: {
      unstable_middleware: async () =>
        (await import("./show.middleware.js")).middleware,
      // etc.
    },
  },
]);
Patch Changes
  • Introduce unstable_subResourceIntegrity future flag that enables generation of an importmap with integrity for the scripts that will be loaded by the browser. (#​13163)

v7.4.1

Compare Source

Patch Changes

  • Fix types on unstable_MiddlewareFunction to avoid type errors when a middleware doesn't return a value (#​13311)

  • Dedupe calls to route.lazy functions (#​13260)

  • Add support for route.unstable_lazyMiddleware function to allow lazy loading of middleware logic. (#​13210)

    Breaking change for unstable_middleware consumers

    The route.unstable_middleware property is no longer supported in the return value from route.lazy. If you want to lazily load middleware, you must use route.unstable_lazyMiddleware.

v7.4.0

Compare Source

Patch Changes
  • Fix root loader data on initial load redirects in SPA mode (#​13222)
  • Load ancestor pathless/index routes in lazy route discovery for upwards non-eager-discoery routing (#​13203)
  • Fix shouldRevalidate behavior for clientLoader-only routes in ssr:true apps (#​13221)
  • UNSTABLE: Fix RequestHandler loadContext parameter type when middleware is enabled (#​13204)
  • UNSTABLE: Update Route.unstable_MiddlewareFunction to have a return value of Response | undefined instead of Response | void becaue you should not return anything if you aren't returning the Response (#​13199)
  • UNSTABLE(BREAKING): If a middleware throws an error, ensure we only bubble the error itself via next() and are no longer leaking the MiddlewareError implementation detail (#​13180)

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Istanbul, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner April 25, 2025 03:15
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Apr 25, 2025

⚠️ No Changeset found

Latest commit: d91f522

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants