Описание
@apollo/experimental-nextjs-app-support Cross-site Scripting vulnerability
Impact
The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. This vulnerability arises from improper handling of untrusted input when @apollo/experimental-apollo-client-nextjs performs server-side rendering of HTML pages. To fix this vulnerability, we implemented appropriate escaping to prevent javascript injection into rendered pages.
Patches
To fix this issue, please update to version 0.7.0 or later.
Workarounds
There are no known workarounds for this issue. Please update to version 0.7.0
Пакеты
@apollo/experimental-nextjs-app-support
<= 0.6.0
0.7.0
Связанные уязвимости
apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input (e.g. by redirecting a user to a specifically-crafted link) or arrange to have malicious input be returned by a GraphQL server (e.g. by persisting it in a database). To fix this issue, please update to version 0.7.0 or later.