CVE-2025-43864 Overview
React Router is a popular routing library for React applications. A cache poisoning vulnerability exists in React Router versions 7.2.0 through 7.5.1 that allows attackers to force Server-Side Rendered (SSR) applications to switch to Single Page Application (SPA) mode by manipulating request headers. When exploited, this causes the application to generate an error response that, if cached by an intermediary cache system, results in persistent denial of service through cache poisoning.
Critical Impact
This vulnerability enables attackers to poison application caches with error responses, causing widespread denial of service that persists until cache invalidation, significantly impacting application availability for all users.
Affected Products
- React Router versions 7.2.0 to 7.5.1
- Applications using React Router SSR with upstream caching systems
- Web applications vulnerable to cache poisoning attacks
Discovery Timeline
- 2025-04-25 - CVE CVE-2025-43864 published to NVD
- 2025-04-29 - Last updated in NVD database
Technical Details for CVE-2025-43864
Vulnerability Analysis
This vulnerability (CWE-755: Improper Handling of Exceptional Conditions) stems from React Router's handling of build-time headers during runtime. The application incorrectly processes headers intended only for build-time prerendering operations when serving live requests. When an attacker sends a request with specific headers that trigger SPA mode, SSR-configured applications experience a rendering failure, generating an error response instead of the expected content.
The attack is particularly severe when combined with caching infrastructure. The poisoned error response gets stored in the cache and served to subsequent legitimate users, amplifying the impact from a single request to potentially all users accessing the affected resource until cache expiration or manual invalidation.
Root Cause
The root cause lies in the server runtime component of React Router, specifically in the handling of mode-switching headers. The original implementation did not properly guard access to build-time-only headers, allowing runtime requests to trigger build-specific code paths. The vulnerable code path is located in packages/react-router/lib/server-runtime/server.ts where headers controlling prerendering and SPA mode were processed without verifying the request context.
Attack Vector
An attacker can exploit this vulnerability remotely over the network without authentication. The attack requires:
- Identifying a React Router SSR application with an upstream caching layer
- Crafting a request with headers that force SPA mode
- Sending the request to trigger the error response
- The cache stores the error response for the requested URL
- All subsequent users receive the cached error until TTL expiration
The attack has low complexity and requires no user interaction, making it highly exploitable against vulnerable applications.
// Security patch in packages/react-router/lib/server-runtime/dev.ts
// Source: https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111
// @ts-expect-error
return globalThis[globalDevServerHooksKey];
}
// Guarded access to build-time-only headers
export function getBuildTimeHeader(request: Request, headerName: string) {
if (typeof process !== "undefined") {
try {
if (process.env?.IS_RR_BUILD_REQUEST === "yes") {
return request.headers.get(headerName);
}
} catch (e) {}
}
return null;
}
Source: GitHub Commit Details
Detection Methods for CVE-2025-43864
Indicators of Compromise
- Unusual error responses being cached for normally functional routes
- Requests containing unexpected headers targeting SSR/SPA mode switching
- Increased cache miss rates followed by error response caching
- User reports of widespread application unavailability
Detection Strategies
- Monitor cache layers for error responses being stored for production routes
- Implement header inspection at WAF or reverse proxy level to detect suspicious mode-switching headers
- Analyze access logs for requests with unusual header patterns targeting React Router internals
- Set up synthetic monitoring to detect degraded application availability
Monitoring Recommendations
- Enable detailed logging on caching layers to capture cache poisoning attempts
- Configure alerting for abnormal error rates on SSR endpoints
- Implement cache health monitoring to detect poisoned entries
- Review CDN and reverse proxy logs for header manipulation patterns
How to Mitigate CVE-2025-43864
Immediate Actions Required
- Upgrade React Router to version 7.5.2 or later immediately
- Audit current cache contents for potentially poisoned entries and purge if necessary
- Implement header filtering at the edge to strip unexpected mode-switching headers
- Consider temporarily disabling caching for SSR routes until patching is complete
Patch Information
The vulnerability has been fixed in React Router version 7.5.2. The patch introduces a new getBuildTimeHeader() function that guards access to build-time-only headers by checking for the IS_RR_BUILD_REQUEST environment variable. This ensures that mode-switching headers are only processed during build time and ignored during runtime requests.
For detailed patch information, see the GitHub Security Advisory and the patch commit.
Workarounds
- Configure reverse proxies or WAFs to strip headers that control SSR/SPA mode switching
- Implement cache-control headers that prevent error responses from being cached
- Use cache key normalization to exclude suspicious headers from cache key generation
- Consider disabling caching temporarily for affected endpoints until upgrade is possible
# Example nginx configuration to strip suspicious headers
proxy_set_header X-React-Router-SPA-Mode "";
proxy_set_header X-React-Router-Prerender "";
# Prevent caching of error responses
proxy_cache_valid 500 502 503 504 0;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
