Security Flaw in React Router Affects React Applications
CVE-2025-43864

Currently unrated

Key Information:

Vendor: React Router
Status: React Router
Vendor: CVE Published:; 25 April 2025

🔔 Create React Router Vulnerability Alert

Badges

📈 Trended📈 Score: 14,200👾 Exploit Exists📰 News Worthy

What is CVE-2025-43864?

CVE-2025-43864 is a vulnerability found in React Router, a key library used for routing in React applications. This flaw exists in versions 7.2.0 to 7.5.2 and allows an attacker to manipulate an application to switch from server-side rendering (SSR) to single-page application (SPA) mode by adding a specific header to requests. If exploited, this can lead to significant disruptions for organizations relying on React for their web applications, as it can corrupt web pages and potentially disrupt the flow of services that depend on uninterrupted availability.

Technical Details

The vulnerability arises when React Router is forced into SPA mode inappropriately, particularly if the application is running with SSR capabilities. This forced transition can cause an error that results in a page corruption. Additionally, in environments where caching mechanisms are implemented, such as CDNs, the erroneous response may be cached and served to users. This caching of corrupted pages can further exacerbate the issue, resulting in extensive availability problems for affected applications.

Potential impact of CVE-2025-43864

Availability Issues: The primary impact is the potential for reduced availability of affected applications, as users may encounter corrupted pages instead of the intended content. This can lead to significant user frustration and loss of functionality.
Cache Poisoning: The ability to cache the error responses can lead to cache poisoning, where corrupted data is served to users repeatedly. This can severely degrade user experience and may require substantial efforts to clear and reset caches across distributed systems.
User Trust and Reputation Damage: Persistent issues stemming from this vulnerability can erode user trust in the application, damage the organization's reputation, and lead to loss of customers who expect reliable performance from web services.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

News Articles

National Institute of Standards and Technology (.gov)

CVE-2025-43864

NVD - CVE-2025-43864

Description React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a...