Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05OTdnLTI3eDgtNDNyZs4AA482
react-query-streamed-hydration Cross-site Scripting vulnerability
Impact
The @tanstack/react-query-next-experimental NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint.
This vulnerability arises from improper handling of untrusted input when @tanstack/react-query-next-experimental performs server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages.
Patches
To fix this issue, please update to version 5.18.0 or later.
Workarounds
There are no known workarounds for this issue. Please update to version 5.18.0 or later.
Permalink: https://github.com/advisories/GHSA-997g-27x8-43rfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05OTdnLTI3eDgtNDNyZs4AA482
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Identifiers: GHSA-997g-27x8-43rf, CVE-2024-24558
References:
- https://github.com/TanStack/query/security/advisories/GHSA-997g-27x8-43rf
- https://github.com/TanStack/query/commit/f2ddaf2536e8b71d2da88a9310ac9a48c13512a1
- https://nvd.nist.gov/vuln/detail/CVE-2024-24558
- https://github.com/advisories/GHSA-997g-27x8-43rf
Blast Radius: 8.8
Affected Packages
npm:@tanstack/react-query-next-experimental
Dependent packages: 6Dependent repositories: 12
Downloads: 172,569 last month
Affected Version Ranges: >= 5.0.0, < 5.18.0
Fixed in: 5.18.0
All affected versions: 5.0.0, 5.0.5, 5.4.3, 5.5.0, 5.7.0, 5.7.1, 5.7.2, 5.8.1, 5.8.2, 5.8.3, 5.8.4, 5.8.6, 5.8.7, 5.8.9, 5.9.0, 5.10.0, 5.12.0, 5.12.1, 5.12.2, 5.13.4, 5.14.0, 5.14.1, 5.14.2, 5.14.6, 5.15.0, 5.15.3, 5.15.4, 5.15.5, 5.17.0, 5.17.1, 5.17.3, 5.17.4, 5.17.5, 5.17.7, 5.17.8, 5.17.9, 5.17.10, 5.17.12, 5.17.14, 5.17.15, 5.17.19
All unaffected versions: 5.18.0, 5.18.1, 5.19.1, 5.20.1, 5.20.2, 5.20.4, 5.20.5, 5.21.2, 5.21.4, 5.21.6, 5.21.7, 5.22.2, 5.24.1, 5.24.2, 5.24.5, 5.24.6, 5.24.7, 5.24.8, 5.25.0, 5.26.3, 5.27.1, 5.27.3, 5.27.4, 5.27.5, 5.28.0, 5.28.2, 5.28.4, 5.28.6, 5.28.8, 5.28.9, 5.28.12, 5.28.13, 5.28.14, 5.29.0, 5.29.2, 5.31.0, 5.32.0