CVE-2024-24558

Description

### Impact The `@tanstack/react-query-next-experimental` NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint. This vulnerability arises from improper handling of untrusted input when `@tanstack/react-query-next-experimental` performs server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages. ### Patches To fix this issue, please update to version 5.18.0 or later. ### Workarounds There are no known workarounds for this issue. Please update to version 5.18.0 or later.

How to fix CVE-2024-24558

To remediate CVE-2024-24558, upgrade the affected package to a fixed version below.

• —upgrade to 5.18.0 or later

Is CVE-2024-24558 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 5.0.0, < 5.18.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-24558
• PATCHgithub.com/TanStack/query
• WEBgithub.com/TanStack/query/commit/f2ddaf2536e8b71d2da88a9310ac9a48c13512a1
• WEBgithub.com/TanStack/query/security/advisories/GHSA-997g-27x8-43rf