urql is a GraphQL client that exposes a set of helpers for several frameworks. The @urql/next package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns html tags and that the web-application is using streamed responses (non-RSC). This vulnerability is due to improper escaping of html-like characters in the response-stream. To fix this vulnerability upgrade to version 1.1.1
{
"cwe_ids": [
"CWE-79"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24556.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:nearform:urql:*:*:*:*:*:node.js:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}