Update Your React Query Package to Patch XSS Vulnerability

CVECVE-2024-24558
CVSScvssV3_1: 8.2
SourceCVE-2024-24558

TanStack Query is a popular state management library for React applications. A cross-site scripting (XSS) vulnerability was recently discovered in one of its packages called @tanstack/react-query-next-experimental.

XSS vulnerabilities occur when malicious code is injected into an otherwise trusted website. Attackers can use XSS to steal users’ sensitive data like cookies, log users out of accounts, or redirect them to malicious sites.

In this case, if an attacker was able to inject malicious JavaScript code into data returned from an API endpoint, it could potentially be executed by users’ browsers when they visit pages that use the vulnerable React Query package. This could allow the attacker to hijack users’ sessions or perform other unwanted actions on their behalf.

The good news is TanStack has released a patch with version 5.18.0 that fixes this vulnerability. All React Query users are advised to update their packages immediately. You can check your currently installed version with ‘npm list @tanstack/react-query-next-experimental’. If it is below 5.18.0, run ‘npm update’ to get the latest patched release.

Staying on top of library updates is important for security. By taking a few minutes to update now, you can help protect your app and its users from any potential exploits of this cross-site scripting bug.

References