React Router Cache Poisoning Vulnerability Leading to Denial-of-Service

A vulnerability in React Router versions 7.2.0 through 7.5.1 allows applications to be forced into Single Page Application (SPA) mode by adding a specific header to the request. This manipulation can cause errors that corrupt the page, and if a caching system is active, the erroneous response can be cached, leading to a denial-of-service condition by poisoning the cache with corrupted content. The issue has been fixed in version 7.5.2.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by poisoning the cache with corrupted responses, which can significantly disrupt the application's availability.

Reproduction

To reproduce this vulnerability, first install React Router in Framework mode, ensuring the version is between 7.2.0 and 7.5.1. Next, create a page that uses a loader. Then, send a request to this page while including the 'X-React-Router-SPA-Mode' header set to 'yes'. This will force the application to switch to SPA mode, bypassing server-side rendering, and trigger an error that corrupts the page. If caching is enabled, this error will be cached, poisoning the cache with the corrupted response.

Remediation

Users can update to React Router version 7.5.2 or later to address this vulnerability.