React Router DOM, a cornerstone library for declarative routing in React web applications, has seen a recent update with the release of version 7.1.5, succeeding the previous stable version 7.1.4. While on the surface the changes might seem minor, understanding the nuances between these versions is crucial for developers seeking optimal performance and stability in their routing implementation.
Both versions share a core dependency on corresponding react-router versions (7.1.5 and 7.1.4, respectively), implying that the fundamental routing logic remains consistent. They also maintain identical peer dependencies on React and React DOM (both requiring versions >=18), ensuring compatibility with modern React projects. Development dependencies like tsup, wireit, and typescript remain unchanged, suggesting that the build and development pipeline has not undergone significant alterations. The project's structure, license, and authorship also remain consistent.
The most significant difference lies in the releaseDate. Version 7.1.5 was released on "2025-01-31T20:59:47.291Z," while version 7.1.4 came out on "2025-01-30T16:22:15.553Z." This one-day difference typically indicates that version 7.1.5 likely incorporates bug fixes, performance enhancements, or very minor feature additions addressing issues identified in 7.1.4.
For developers, while both versions are relatively recent and built on similar foundations, upgrading to 7.1.5 is generally advisable. It will ensure access to the latest refinements and bug fixes, even if they appear incremental. Checking the changelog or release notes for react-router between versions 7.1.4 and 7.1.5 for detailed information about the specific changesets is recommended for a complete understanding.
All the vulnerabilities related to the version 7.1.5 of the package
React Router allows pre-render data spoofing on React-Router framework mode
After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted.
The vulnerable header is X-React-Router-Prerender-Data, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is the vulnerable code :
To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.
Versions used for our PoC:
routes/ssr).data. In our case the page is called /ssr:We access it by adding the suffix .data and retrieve the data object, needed for the header:
X-React-Router-Prerender-Data header with the previously retrieved object as its value. You can change any value of your data object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):As you can see, all values have been changed/overwritten by the values provided via the header.
The impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.