CVE-2024-24558

2024-01-3020:15:45

CWE-79

[email protected]

web.nvd.nist.gov

tanstack query

async state management

server-state utilities

data fetching

xss

npm vulnerability

update

cve-2024-24558

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web. The @tanstack/react-query-next-experimental NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint. To fix this issue, please update to version 5.18.0 or later.

Affected configurations

Vulners

NVD

Node

tanstackreact-query-next-experimentalRange5.0.0–5.18.0

VendorProductVersionCPE
tanstackreact\-query\-next\-experimental*cpe:2.3:a:tanstack:react\-query\-next\-experimental:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
tanstack	react\-query\-next\-experimental	*	cpe:2.3:a:tanstack:react\-query\-next\-experimental::::::::

CNA Affected

[
  {
    "vendor": "TanStack",
    "product": "query",
    "versions": [
      {
        "version": ">=5.0.0, < 5.18.0",
        "status": "affected"
      }
    ]
  }
]