Headline
GHSA-997g-27x8-43rf: react-query-streamed-hydration Cross-site Scripting vulnerability
Impact
The @tanstack/react-query-next-experimental NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint.
This vulnerability arises from improper handling of untrusted input when @tanstack/react-query-next-experimental performs server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages.
Patches
To fix this issue, please update to version 5.18.0 or later.
Workarounds
There are no known workarounds for this issue. Please update to version 5.18.0 or later.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-24558
react-query-streamed-hydration Cross-site Scripting vulnerability
High severity GitHub Reviewed Published Jan 30, 2024 in TanStack/query • Updated Jan 30, 2024
Package
npm @tanstack/react-query-next-experimental (npm)
Affected versions
>= 5.0.0, < 5.18.0
Impact
The @tanstack/react-query-next-experimental NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint.
This vulnerability arises from improper handling of untrusted input when @tanstack/react-query-next-experimental performs server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages.
Patches
To fix this issue, please update to version 5.18.0 or later.
Workarounds
There are no known workarounds for this issue. Please update to version 5.18.0 or later.
References
- GHSA-997g-27x8-43rf
- TanStack/query@f2ddaf2
Published to the GitHub Advisory Database
Jan 30, 2024
Last updated
Jan 30, 2024