CVE-2024-24556

Name of the Vulnerable Software and Affected Versions @urql/next versions prior to 1.1.1

Description The @urql/next package is vulnerable to XSS due to improper escaping of html-like characters in the response-stream. To exploit this, an attacker would need to ensure that the response returns html tags and that the web-application is using streamed responses (non-RSC).

Recommendations For versions prior to 1.1.1, upgrade to version 1.1.1 to fix the vulnerability. As a temporary workaround, consider restricting the use of streamed responses (non-RSC) or ensuring proper escaping of html-like characters in the response-stream until a patch is available.