React Router v7.1.1 is a minor update over v7.1.0, focusing primarily on internal improvements and bug fixes rather than introducing significant new features. For developers, both versions offer a robust and declarative routing solution for React applications, simplifying navigation and UI management. They share the same core dependencies, including cookie, turbo-stream, @types/cookie, and set-cookie-parser, ensuring consistent functionality for handling cookies and server-sent events. The development dependencies, such as tsup, react, rimraf, wireit, react-dom, typescript, and @types/set-cookie-parser, remain identical, indicating a similar build and testing environment. Peer dependencies for both versions are react and react-dom (>=18), maintaining compatibility with React 18 and above.
The key difference lies in the dist object and the releaseDate. Version 7.1.1 has a slightly different unpacked size (2270911 bytes compared to 2270901 bytes in v7.1.0), suggesting minor code optimizations or bug fixes that affect the final bundle size. The release date of v7.1.1 is December 23, 2024, while v7.1.0 was released on December 20, 2024, indicating a quick follow-up release. Developers upgrading from v7.1.0 to v7.1.1 can expect a seamless transition with minimal impact on their existing code, benefiting mainly from potential bug fixes and slight performance enhancements. If your application relies heavily on edge cases or specific behaviors, reviewing the detailed changelog or commits between these versions is advisable.
All the vulnerabilities related to the version 7.1.1 of the package
React Router allows pre-render data spoofing on React-Router framework mode
After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted.
The vulnerable header is X-React-Router-Prerender-Data, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is the vulnerable code :
To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.
Versions used for our PoC:
routes/ssr).data. In our case the page is called /ssr:We access it by adding the suffix .data and retrieve the data object, needed for the header:
X-React-Router-Prerender-Data header with the previously retrieved object as its value. You can change any value of your data object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):As you can see, all values have been changed/overwritten by the values provided via the header.
The impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.