SAP
/
ui5-webcomponents-react
/
14658211346
/
4 – cypress-commands
89%
main: 89%
main: 89%
|
Ran
|
Files
149
|
Run time
3s
|
Badge
Embed ▾
README BADGES
|
coverage: 15.217%. Remained the same
push
github
web-flowchore(deps): update dependency react-router to v7.5.2 [security] (main) (#7271) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [react-router](https://redirect.github.com/remix-run/react-router) ([source](https://redirect.github.com/remix-run/react-router/tree/HEAD/packages/react-router)) | [`7.5.1` -> `7.5.2`](https://renovatebot.com/diffs/npm/react-router/7.5.1/7.5.2) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-43864](https://redirect.github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322) ## Summary After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application. ## Details The vulnerable header is `X-React-Router-SPA-Mode`; adding it to a request sent to a page/endpoint using a loader throws an error. Here is [the vulnerable code](https://redirect.github.com/remix-run/react-router/blob/e6c53a013/packages/react-router/lib/server-runtime/server.ts#L407) : <img wi... (continued)
65 of 2965 branches covered (2.19%)
712 of 4679 relevant lines covered (15.22%)
57.08 hits per line
