Description
The @urql/next package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns html tags and that the web-application is using streamed responses (non-RSC). This vulnerability is due to improper escaping of html-like characters in the response-stream.
To fix this vulnerability upgrade to version 1.1.1
Recommendation
Update the @urql/next package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.1.1
- Patched version(s): 1.1.1
References
Related Issues
- Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes - CVE-2024-6485
- Cross Site Scripting vulnerability in store2 - CVE-2024-57556
- vue-i18n has cross-site scripting vulnerability with prototype pollution - CVE-2024-52809
- vue-i18n has cross-site scripting vulnerability with prototype pollution - vue-i18n - CVE-2024-52809
You might also like:
- Tags:
- npm
- @urql/next
Anything's wrong? Let us know Last updated on January 30, 2024