Listen to this Post
How the CVE Works
The vulnerability occurs when React-Router (Framework mode) processes the `X-React-Router-SPA-Mode` header, forcing Server-Side Rendering (SSR) pages into Single-Page Application (SPA) mode. This triggers an unhandled error, corrupting the page response. If cached, the poisoned response serves the error to all users, causing a denial-of-service (DoS) via cache poisoning. The attack requires a page using a `loader` function and a misconfigured cache layer storing error responses.
DailyCVE Form
Platform: React-Router
Version: 7.5.0
Vulnerability: Cache Poisoning
Severity: Critical
Date: 2024-04-25
What Undercode Say:
Exploitation:
1. Craft Malicious Request:
curl -H "X-React-Router-SPA-Mode: yes" http://target.com/ssr
2. Cache Poisoning: Repeat requests until cached.
Detection:
1. Check Headers:
if (req.headers['x-react-router-spa-mode']) { blockRequest(); }
2. Log Analysis:
grep "X-React-Router-SPA-Mode" /var/log/nginx/access.log
Mitigation:
1. Patch: Upgrade to React-Router ≥7.5.1.
2. Header Sanitization:
proxy_set_header X-React-Router-SPA-Mode "";
3. Cache Control:
proxy_cache_bypass $http_x_react_router_spa_mode;
Proof of Concept (PoC):
// Server-side check
app.use((req, res, next) => {
if (req.headers['x-react-router-spa-mode']) {
res.status(400).send("Invalid header");
} else next();
});
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
