Update Your React Query Package to Patch XSS Vulnerability

CVECVE-2024-24558
CVSScvssV3_1: 8.2
SourceCVE-2024-24558

TanStack Query is a popular state management library for React applications. A cross-site scripting (XSS) vulnerability was recently discovered in one of its packages called @tanstack/react-query-next-experimental.

XSS vulnerabilities occur when malicious code is injected into an otherwise trusted website. Attackers can use XSS to steal user data like cookies or passwords. With XSS, an attacker would need to trick a user into clicking a malicious link or submitting tainted data through a vulnerable site. This could then allow the injection of arbitrary HTML, JavaScript or other code into the user’s browser session.

The specific issue in the TanStack Query package was that it failed to properly sanitize user input before rendering it. This meant an attacker could craft specially crafted requests or responses containing malicious scripts that would be executed by other users’ browsers when they loaded pages using the vulnerable code.

The good news is TanStack has released a patch with version 5.18.0 that fixes the problem. All users of the @tanstack/react-query-next-experimental package should update immediately to protect themselves against any potential XSS attacks. Always make sure to keep your dependencies up-to-date to stay ahead of security issues.

References