CVE-2024-24556

CVSS 3.1 Score 6.1 of 10 (medium)

Details

Published Jan 30, 2024
Updated: Feb 6, 2024
CWE ID 79

Summary

CVE-2024-24556 is a newly disclosed vulnerability affecting the `@urql/next` package, a GraphQL client used in several frameworks. The issue lies in urql's handling of response streams, where improper escaping of HTML-like characters can lead to Cross-Site Scripting (XSS) attacks. For an attack to succeed, the attacker must ensure the response contains HTML tags and the web application uses non-RSC (React Server Components) streamed responses. To mitigate this risk, urgent upgrades to version 1.1.1 are recommended.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share