CVE-2024-24558

描述

### Impact The `@tanstack/react-query-next-experimental` NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint. This vulnerability arises from improper handling of untrusted input when `@tanstack/react-query-next-experimental` performs server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages. ### Patches To fix this issue, please update to version 5.18.0 or later. ### Workarounds There are no known workarounds for this issue. Please update to version 5.18.0 or later.

如何修補 CVE-2024-24558

要修補 CVE-2024-24558,請將受影響套件升級到下列已修補版本。

• —升級至 5.18.0 或更新版本

CVE-2024-24558 正在被利用嗎?

低 — EPSS 為 0.5%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• >= 5.0.0, < 5.18.0

CVSS 分數

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-24558
• PATCHgithub.com/TanStack/query
• WEBgithub.com/TanStack/query/commit/f2ddaf2536e8b71d2da88a9310ac9a48c13512a1
• WEBgithub.com/TanStack/query/security/advisories/GHSA-997g-27x8-43rf