React Router, a declarative routing library for React applications maintained by Remix Software, has seen a recent update from version 7.1.1 to 7.1.2. Both versions offer the same core functionality, including dependencies on 'cookie', 'turbo-stream', '@types/cookie', and 'set-cookie-parser' for handling cookies and stream updates. Development dependencies like 'tsup' for bundling, 'react', 'react-dom', 'typescript', 'rimraf', 'wireit', and '@types/set-cookie-parser' remain consistent, ensuring a familiar development environment. Peer dependencies specify that React and React DOM versions 18 or higher are required.
The key difference lies in the release date and the unpacked size of the distribution. Version 7.1.2 was released on January 16, 2025, sporting an unpacked size of 2277325 bytes, while version 7.1.1 was released on December 23, 2024, with an unpacked size of 2270911 bytes. The file count is the same and this small change in size likely indicates minor fixes, performance improvements, or internal adjustments.
For developers, react-router remains a solid choice for managing navigation in React applications. The license is MIT. If you're already using React Router and want the latest fixes or performance tweaks, upgrading to 7.1.2 is advised. Consider reviewing the complete changelog of react-router if you want a complete grasp of its changes.
All the vulnerabilities related to the version 7.1.2 of the package
React Router allows pre-render data spoofing on React-Router framework mode
After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted.
The vulnerable header is X-React-Router-Prerender-Data, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is the vulnerable code :
To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.
Versions used for our PoC:
routes/ssr).data. In our case the page is called /ssr:We access it by adding the suffix .data and retrieve the data object, needed for the header:
X-React-Router-Prerender-Data header with the previously retrieved object as its value. You can change any value of your data object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):As you can see, all values have been changed/overwritten by the values provided via the header.
The impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.