CVE-2024-24558
8.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Summary
TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web. The @tanstack/react-query-next-experimental NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint. To fix this issue, please update to version 5.18.0 or later.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| TanStack | query | >=5.0.0, < 5.18.0 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/TanStack/query/security/advisories/GHSA-997g-27x8-43rf
- https://github.com/TanStack/query/commit/f2ddaf2536e8b71d2da88a9310ac9a48c13512a1
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/TanStack/query/security/advisories/GHSA-997g-27x8-43rf
- https://github.com/TanStack/query/commit/f2ddaf2536e8b71d2da88a9310ac9a48c13512a1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.