Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1ydjhwLXJyMmgtZmdwZ84AA484

@apollo/experimental-nextjs-app-support Cross-site Scripting vulnerability

Impact

The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. This vulnerability arises from improper handling of untrusted input when @apollo/experimental-apollo-client-nextjs performs server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages.

Patches

To fix this issue, please update to version 0.7.0 or later.

Workarounds

There are no known workarounds for this issue. Please update to version 0.7.0

Permalink: https://github.com/advisories/GHSA-rv8p-rr2h-fgpg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ydjhwLXJyMmgtZmdwZ84AA484
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 10 months ago

CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Identifiers: GHSA-rv8p-rr2h-fgpg, CVE-2024-23841
References:

Repository: https://github.com/apollographql/apollo-client-nextjs
Blast Radius: 13.6

Affected Packages

npm:@apollo/experimental-nextjs-app-support

Dependent packages: 15
Dependent repositories: 45
Downloads: 495,652 last month
Affected Version Ranges: <= 0.6.0
Fixed in: 0.7.0
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.6.0
All unaffected versions: 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6