CVE-2025-43864— React Router allows a DoS via cache poisoning by forcing SPA mode

CVSS 7.5 · High EPSS 0.37% · P59 Updated Apr 29, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-43864

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

React Router allows a DoS via cache poisoning by forcing SPA mode

Source: NVD (National Vulnerability Database)

Vulnerability Description

React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application. This issue has been patched in version 7.5.2.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

对异常条件的处理不恰当

Source: NVD (National Vulnerability Database)

Vulnerability Title

react-router 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

react-router是Remix开源的一个 React 的声明式路由。 react-router 7.2.0至7.5.2之前版本存在安全漏洞，该漏洞源于通过添加请求标头可能强制应用切换到SPA模式，可能导致缓存投毒。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
remix-run	react-router	>= 7.2.0, < 7.5.2	-

II. Public POCs for CVE-2025-43864

#	POC Description	Source Link	Shenlong Link
1	None	https://github.com/pouriam23/DoS-via-cache-poisoning-by-forcing-SPA-mode-CVE-2025-43864-	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-43864

请登录查看更多情报信息。

IV. Related Vulnerabilities

Same product: react-router

Same vendor: remix-run

Same weakness: CWE-755

V. Comments for CVE-2025-43864

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-43864— React Router allows a DoS via cache poisoning by forcing SPA mode

I. Basic Information for CVE-2025-43864

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-43864

III. Intelligence Information for CVE-2025-43864

IV. Related Vulnerabilities

V. Comments for CVE-2025-43864

Leave a comment