Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ydjhwLXJyMmgtZmdwZ84AA484
@apollo/experimental-nextjs-app-support Cross-site Scripting vulnerability
Impact
The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. This vulnerability arises from improper handling of untrusted input when @apollo/experimental-apollo-client-nextjs performs server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages.
Patches
To fix this issue, please update to version 0.7.0 or later.
Workarounds
There are no known workarounds for this issue. Please update to version 0.7.0
Permalink: https://github.com/advisories/GHSA-rv8p-rr2h-fgpgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ydjhwLXJyMmgtZmdwZ84AA484
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Identifiers: GHSA-rv8p-rr2h-fgpg, CVE-2024-23841
References:
- https://github.com/apollographql/apollo-client-nextjs/security/advisories/GHSA-rv8p-rr2h-fgpg
- https://nvd.nist.gov/vuln/detail/CVE-2024-23841
- https://github.com/apollographql/apollo-client-nextjs/commit/b92bc42abd5f8e17d4db361c36bd08e4f541a46b
- https://github.com/advisories/GHSA-rv8p-rr2h-fgpg
Blast Radius: 13.6
Affected Packages
npm:@apollo/experimental-nextjs-app-support
Dependent packages: 8Dependent repositories: 45
Downloads: 428,407 last month
Affected Version Ranges: <= 0.6.0
Fixed in: 0.7.0
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.6.0
All unaffected versions: 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.10.0