CVE-2025-43864: 
JavaScript vulnerability analysis and mitigation

React Router, a widely used router for React with approximately 14 million weekly downloads, disclosed a high-severity vulnerability (CVE-2025-43864) affecting versions 7.2.0 through 7.5.1. The vulnerability was discovered and reported on April 24, 2025, allowing attackers to force applications into Single Page Application (SPA) mode through header manipulation (Security Online, GitHub Advisory).

The vulnerability stems from the ability to force an application to switch to SPA mode by adding a specially crafted X-React-Router-SPA-Mode header to the request. When exploited against applications using Server-Side Rendering (SSR), this causes an error that corrupts the page completely. The vulnerability has been assigned a CVSS score of 7.5 (High), with attack vector metrics indicating network-based attacks with low complexity and no required privileges or user interaction (GitHub Advisory).

The primary impact of this vulnerability is on application availability. When a caching system is in place, the corrupted response can be cached, resulting in cache poisoning that severely impacts the application's availability. This can lead to persistent disruption of service for legitimate users accessing the affected pages (GitHub Advisory, Security Online).

The vulnerability has been patched in React Router version 7.5.2. Organizations using affected versions should upgrade immediately to the patched version. Additionally, Cloudflare has implemented mitigation measures to protect their customers from this vulnerability (CloudflareDev).