CVE-2024-24558

TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web. The `@tanstack/react-query-next-experimental` NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint. To fix this issue, please update to version 5.18.0 or later.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/TanStack/query/commit/f2ddaf2536e8b71d2da88a9310ac9a48c13512a1	Patch
https://github.com/TanStack/query/security/advisories/GHSA-997g-27x8-43rf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tanstack:react-query-next-experimental:*:*:*:*:*:node.js:*:*

History

23 Apr 2024, 19:52

Type	Values Removed	Values Added
First Time		Tanstack react-query-next-experimental
CPE	cpe:2.3:a:tanstack:query::::::node.js::*	cpe:2.3:a:tanstack:react-query-next-experimental::::::node.js::*

06 Feb 2024, 19:35

Type	Values Removed	Values Added
CPE		cpe:2.3:a:tanstack:query::::::node.js::*
References	~~() https://github.com/TanStack/query/commit/f2ddaf2536e8b71d2da88a9310ac9a48c13512a1 -~~	() https://github.com/TanStack/query/commit/f2ddaf2536e8b71d2da88a9310ac9a48c13512a1 - Patch
References	~~() https://github.com/TanStack/query/security/advisories/GHSA-997g-27x8-43rf -~~	() https://github.com/TanStack/query/security/advisories/GHSA-997g-27x8-43rf - Vendor Advisory
First Time		Tanstack query Tanstack
CVSS	v2 : ~~unknown~~ v3 : ~~8.2~~	v2 : unknown v3 : 6.1

30 Jan 2024, 20:48

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-30 20:15

Updated : 2024-04-23 19:52

NVD link : CVE-2024-24558

Mitre link : CVE-2024-24558

CVE.ORG link : CVE-2024-24558

JSON object : View

Products Affected

tanstack

react-query-next-experimental

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-24558", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}]}, "published": "2024-01-30T20:15:45.690", "references": [{"url": "https://github.com/TanStack/query/commit/f2ddaf2536e8b71d2da88a9310ac9a48c13512a1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/TanStack/query/security/advisories/GHSA-997g-27x8-43rf", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web. The `@tanstack/react-query-next-experimental` NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint. To fix this issue, please update to version 5.18.0 or later.\n"}, {"lang": "es", "value": "TanStack Query proporciona administraci\u00f3n de estado asincr\u00f3nica, utilidades de estado de servidor y recuperaci\u00f3n de datos para la web. El paquete NPM `@tanstack/react-query-next-experimental` es afectado por una vulnerabilidad de cross site scripting. Para aprovechar esto, un atacante necesitar\u00eda inyectar entradas maliciosas o hacer arreglos para que se devuelvan entradas maliciosas desde un endpoint. Para solucionar este problema, actualice a la versi\u00f3n 5.18.0 o posterior."}], "lastModified": "2024-04-23T19:52:49.107", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tanstack:react-query-next-experimental:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "43EDEADA-4C6C-4BEA-A751-313424B932D6", "versionEndExcluding": "5.18.0", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}