CVE-2024-23841

Name of the Vulnerable Software and Affected Versions apollo-client-nextjs versions prior to 0.7.0

Description The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. This issue arises from improper handling of untrusted input when the package performs server-side rendering of HTML pages. To exploit this vulnerability, an attacker would need to either inject malicious input or arrange to have malicious input be returned by a GraphQL server.

Recommendations To fix this issue, please update to version 0.7.0 or later. As a temporary workaround is not available, updating to the fixed version is the only recommended course of action.