Skip to content

fix(react-router): Replace module proxy with otel wrap #16373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: develop
Choose a base branch
from
Draft

fix(react-router): Replace module proxy with otel wrap #16373

wants to merge 2 commits into from

Conversation

chargome
Copy link
Member

No description provided.

@chargome chargome self-assigned this May 23, 2025
semgrep-code-getsentry[bot]
semgrep-code-getsentry bot reviewed May 23, 2025
View reviewed changes
packages/react-router/src/server/instrumentation/reactRouter.ts
} catch (error) {
return originalRequestHandler(request, initialContext);
}
private _patchCreateRequestHandler(): (original: typeof reactRouter.createRequestHandler) => any {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk: Affected versions of react-router are vulnerable to Insufficient Verification of Data Authenticity. A vulnerability in React Router's Framework mode allows an attacker to spoof pre-rendered loader data by providing a crafted JSON payload via the X-React-Router-Prerender-Data header. This manipulation can poison cached responses and lead to unintended page modifications, including potential XSS attacks.

Fix: Upgrade this library to at least version 7.5.2 at sentry-javascript/yarn.lock:24603.

Reference(s): GHSA-cpj6-fhp6-mr6j, CVE-2025-43865

💬 To ignore this, reply with:
/fp <comment> for false positive
/ar <comment> for acceptable risk
/other <comment> for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssc-beb7e482-8f90-9d54-a2cb-68c86458077b.

semgrep-code-getsentry[bot]
semgrep-code-getsentry bot reviewed May 23, 2025
View reviewed changes
packages/react-router/src/server/instrumentation/reactRouter.ts
return function sentryWrappedCreateRequestHandler(this: unknown, ...args: unknown[]) {
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
// @ts-ignore not sure why original isn't found here?
const originalRequestHandler = (original as typeof reactRouter.createRequestHandler).apply(this, args);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk: Affected versions of react-router are vulnerable to Insufficient Verification of Data Authenticity. A vulnerability in React Router's Framework mode allows an attacker to spoof pre-rendered loader data by providing a crafted JSON payload via the X-React-Router-Prerender-Data header. This manipulation can poison cached responses and lead to unintended page modifications, including potential XSS attacks.

Fix: Upgrade this library to at least version 7.5.2 at sentry-javascript/yarn.lock:24603.

Reference(s): GHSA-cpj6-fhp6-mr6j, CVE-2025-43865

💬 To ignore this, reply with:
/fp <comment> for false positive
/ar <comment> for acceptable risk
/other <comment> for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssc-beb7e482-8f90-9d54-a2cb-68c86458077b.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@semgrep-code-getsentry semgrep-code-getsentry[bot] semgrep-code-getsentry[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@chargome chargome

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@chargome