React Router DOM has a significant update with version 7.0.0, offering notable changes compared to the previous stable version, 6.30.1. This new major release sees React Router (the core routing logic) bumped to version 7.0.0 as well, while version 6.30.1 depended on React Router 6.30.1 and @remix-run/router 1.23.0. A key difference lies in the developer tooling: version 7.0.0 utilizes tsup for bundling and includes wireit for managing scripts and dependencies, alongside development dependencies for typescript, indicating a modernized build process focused on efficiency and potentially improved TypeScript support.
The peer dependency requirements also reflect an evolving ecosystem. Version 7.0.0 mandates React and React DOM versions of at least 18, aligning with the latest React features and performance improvements. In contrast, the older version 6.30.1 supported React and React DOM versions starting from 16.8, offering wider compatibility with older projects. Developers should carefully assess their project's React version before upgrading.
The dist object reveals differences in package size and structure. Version 7.0.0 demonstrates a reduced unpackedSize – 5414 bytes, compared to 6.30.1's 902307 bytes, suggesting potential improvements in code optimization and a smaller bundle size for faster loading times, which is good for enhanced web performance. Given the differences in fileCount, the internal organization and packaging strategy likely underwent changes as well. The release dates show version 7.0.0 was (supposedly) released in November of 2024 and Version 6.30.1 was released in may of 2025.
All the vulnerabilities related to the version 7.0.0 of the package
React Router allows pre-render data spoofing on React-Router framework mode
After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted.
The vulnerable header is X-React-Router-Prerender-Data, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is the vulnerable code :
To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.
Versions used for our PoC:
routes/ssr).data. In our case the page is called /ssr:We access it by adding the suffix .data and retrieve the data object, needed for the header:
X-React-Router-Prerender-Data header with the previously retrieved object as its value. You can change any value of your data object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):As you can see, all values have been changed/overwritten by the values provided via the header.
The impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.