GHSA-997g-27x8-43rf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-997g-27x8-43rf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-997g-27x8-43rf/GHSA-997g-27x8-43rf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-997g-27x8-43rf
- Aliases
- Related
- Published
- 2024-01-30T20:57:22Z
- Modified
- 2024-01-30T21:34:04Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
- Summary
- react-query-streamed-hydration Cross-site Scripting vulnerability
- Details
-
Impact
The
@tanstack/react-query-next-experimentalNPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint.This vulnerability arises from improper handling of untrusted input when
@tanstack/react-query-next-experimentalperforms server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages.Patches
To fix this issue, please update to version 5.18.0 or later.
Workarounds
There are no known workarounds for this issue. Please update to version 5.18.0 or later.
- Database specific
{ "nvd_published_at": "2024-01-30T20:15:45Z", "cwe_ids": [ "CWE-79" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-01-30T20:57:22Z" }- References
Affected packages
npm / @tanstack/react-query-next-experimental
Package
- Name
- @tanstack/react-query-next-experimental
- View open source insights on deps.dev
- Purl
- pkg:npm/%40tanstack/react-query-next-experimental