CVE-2024-24556
CVSS 3.1 Score 6.1 of 10 (medium)
Details
Published Jan 30, 2024
Updated: Feb 6, 2024
CWE ID 79
Summary
CVE-2024-24556 is a newly disclosed vulnerability affecting the `@urql/next` package, a GraphQL client used in several frameworks. The issue lies in urql's handling of response streams, where improper escaping of HTML-like characters can lead to Cross-Site Scripting (XSS) attacks. For an attack to succeed, the attacker must ensure the response contains HTML tags and the web application uses non-RSC (React Server Components) streamed responses. To mitigate this risk, urgent upgrades to version 1.1.1 are recommended.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Share
Affected Vendors
- nearForm