Security researchers reviewing the Remix web framework have discovered two high-severity vulnerabilities in React Router. Vercel proactively deployed mitigation to the Vercel Firewall and .Vercel customers are protected and enable an external party to modify the response using certain request headers, which can lead to cache poisoning Denial of Service (DoS). CVE 43865 enables vulnerabilities such as stored Cross Site Scripting (XSS).CVE-2025-43864CVE-2025-43865 When we learned about the vulnerability, we started analyzing the impact to the Vercel platform. Here are our findings and recommendations: Both issues have been patched in React Router 7.5.2.

We recommend updating to the latest version and redeploying. If you are using additional layers of caching, including Cloudflare or other CDNs, we recommend purging those caches separately. Thank you to for disclosing the vulnerability.zhero Read more Impact and analysis We were able to reproduce the vulnerability and demonstrate that cache poisoning is trivial, including stored Cross Site Scripting (XSS) injections The only precondition is that the customer used an impacted version of Remix / React Router (v7.0.0 branch prior to…