CVE-2024-24558 – @tanstack/react-query-next-experimental

Package

Manager: npm
Name: @tanstack/react-query-next-experimental
Vulnerable Version: >=5.0.0 <5.18.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00496 pctl0.64798

Details

react-query-streamed-hydration Cross-site Scripting vulnerability ### Impact The `@tanstack/react-query-next-experimental` NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint. This vulnerability arises from improper handling of untrusted input when `@tanstack/react-query-next-experimental` performs server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages. ### Patches To fix this issue, please update to version 5.18.0 or later. ### Workarounds There are no known workarounds for this issue. Please update to version 5.18.0 or later.

Metadata

Created: 2024-01-30T20:57:22Z
Modified: 2024-01-30T21:34:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-997g-27x8-43rf/GHSA-997g-27x8-43rf.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-997g-27x8-43rf
Finding: F425
Auto approve: 1