CVE-2024-23841 XSS in @apollo/experimental-nextjs-app-support

2024-01-3017:14:12

CWE-80

GitHub_M

www.cve.org

cve-2024-23841

xss

apollo client

next.js app

cross-site scripting

vulnerability

npm package

graphql server

update

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

8 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input (e.g. by redirecting a user to a specifically-crafted link) or arrange to have malicious input be returned by a GraphQL server (e.g. by persisting it in a database). To fix this issue, please update to version 0.7.0 or later.

CNA Affected

[
  {
    "vendor": "apollographql",
    "product": "apollo-client-nextjs",
    "versions": [
      {
        "version": "< 0.7.0",
        "status": "affected"
      }
    ]
  }
]