Skip to content

[Security] Bump react-router and react-router-dom

Ronan Amicelrequested to merge
dependabot-npm_and_yarn-react-router-and-react-router-dom-7.5.2 into main

Bumps react-router to 7.5.2 and updates ancestor dependency react-router-dom. These dependencies need to be updated together.

Updates react-router from 7.1.1 to 7.5.2 This update includes a security fix.

Vulnerabilities fixed

React Router allows pre-render data spoofing on React-Router framework mode

Summary

After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. Latest versions are impacted.

Details

The vulnerable header is X-React-Router-Prerender-Data, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is the vulnerable code :

To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.

Steps to reproduce

Versions used for our PoC:

  • "@​react-router/node": "^7.5.0",
  • "@​react-router/serve": "^7.5.0",
  • "react": "^19.0.0"
  • "react-dom": "^19.0.0"
  • "react-router": "^7.5.0"
  1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)
  2. Add a simple page using a loader (example: routes/ssr)

... (truncated)

Patched versions: 7.5.2 Affected versions: >= 7.0, <= 7.5.1

Release notes

Sourced from react-router's releases.

v7.5.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v752

v7.5.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v751

v7.5.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v750

v7.4.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v741

v7.4.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v740

v7.3.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v730

v7.2.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v720

v.7.1.5

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v715

v7.1.4

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v714

v7.1.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v713

v7.1.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v712

Changelog

Sourced from react-router's changelog.

7.5.2

Patch Changes

  • Update Single Fetch to also handle the 204 redirects used in ?_data requests in Remix v2 (#13364)

    • This allows applications to return a redirect on .data requests from outside the scope of React Router (i.e., an express/hono middleware)
    • ⚠️ Please note that doing so relies on implementation details that are subject to change without a SemVer major release
    • This is primarily done to ease upgrading to Single Fetch for existing Remix v2 applications, but the recommended way to handle this is redirecting from a route middleware

  • Adjust approach for Prerendering/SPA Mode via headers (#13453)

7.5.1

Patch Changes

  • Fix single fetch bug where no revalidation request would be made when navigating upwards to a reused parent route (#13253)

  • When using the object-based route.lazy API, the HydrateFallback and hydrateFallbackElement properties are now skipped when lazy loading routes after hydration. (#13376)

    If you move the code for these properties into a separate file, you can use this optimization to avoid downloading unused hydration code. For example:

    createBrowserRouter([
  {
    path: "/show/:showId",
    lazy: {
      loader: async () => (await import("./show.loader.js")).loader,
      Component: async () => (await import("./show.component.js")).Component,
      HydrateFallback: async () =>
        (await import("./show.hydrate-fallback.js")).HydrateFallback,
    },
  },
]);

  • Properly revalidate prerendered paths when param values change (#13380)

  • UNSTABLE: Add a new unstable_runClientMiddleware argument to dataStrategy to enable middleware execution in custom dataStrategy implementations (#13395)

  • UNSTABLE: Add better error messaging when getLoadContext is not updated to return a Map" (#13242)

  • Do not automatically add null to staticHandler.query() context.loaderData if routes do not have loaders (#13223)

    • This was a Remix v2 implementation detail inadvertently left in for React Router v7
    • Now that we allow returning undefined from loaders, our prior check of loaderData[routeId] !== undefined was no longer sufficient and was changed to a routeId in loaderData check - these null values can cause issues for this new check
    • ⚠️ This could be a "breaking bug fix" for you if you are doing manual SSR with createStaticHandler()/<StaticRouterProvider>, and using context.loaderData to control <RouterProvider> hydration behavior on the client

  • Fix prerendering when a loader returns a redirect (#13365)

... (truncated)

Commits

Updates react-router-dom from 7.1.1 to 7.5.2

Release notes

Sourced from react-router-dom's releases.

v7.1.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v713

react-router-dom-v5-compat@6.4.0-pre.15

Patch Changes

  • Updated dependencies
    • react-router@6.4.0-pre.15
    • react-router-dom@6.4.0-pre.15

react-router-dom-v5-compat@6.4.0-pre.11

Patch Changes

  • Updated dependencies
    • react-router@6.4.0-pre.11
    • react-router-dom@6.4.0-pre.11

react-router-dom-v5-compat@6.4.0-pre.10

Patch Changes

  • Updated dependencies
    • react-router@6.4.0-pre.10
    • react-router-dom@6.4.0-pre.10

react-router-dom-v5-compat@6.4.0-pre.9

Patch Changes

  • Updated dependencies
    • react-router@6.4.0-pre.9
    • react-router-dom@6.4.0-pre.9

react-router-dom-v5-compat@6.4.0-pre.8

Patch Changes

  • Updated dependencies
    • react-router@6.4.0-pre.8
    • react-router-dom@6.4.0-pre.8

react-router-dom-v5-compat@6.4.0-pre.7

Patch Changes

  • Updated dependencies
    • react-router@6.4.0-pre.7
    • react-router-dom@6.4.0-pre.7
Changelog

Sourced from react-router-dom's changelog.

7.5.2

Patch Changes

  • Updated dependencies:
    • react-router@7.5.2

7.5.1

Patch Changes

  • Updated dependencies:
    • react-router@7.5.1

7.5.0

Patch Changes

  • Updated dependencies:
    • react-router@7.5.0

7.4.1

Patch Changes

  • Updated dependencies:
    • react-router@7.4.1

7.4.0

Patch Changes

  • Updated dependencies:
    • react-router@7.4.0

7.3.0

Patch Changes

  • Updated dependencies:
    • react-router@7.3.0

7.2.0

Patch Changes

  • Updated dependencies:
    • react-router@7.2.0

7.1.5

... (truncated)

Commits

Merge request reports