React-Router : Pre-render data spoofing + CPDoS (no research paper)

Published in zhero_web_security, 2025

Security advisories

  • CVE-2025-43865 : Pre-render data spoofing on React-Router framework mode (8.2 - high)
  • CVE-2025-43864 : DoS via cache poisoning by forcing SPA mode (7.5 - high)

A little more here.

Research conducted by zhero; & inzo_

Published in April 2025