{"id":"CVE-2024-24556","summary":"XSS in @urql/next","details":"urql is a GraphQL client that exposes a set of helpers for several frameworks.  The `@urql/next` package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns `html` tags and that the web-application is using streamed responses (non-RSC). This vulnerability is due to improper escaping of html-like characters in the response-stream. To fix this vulnerability upgrade to version 1.1.1","aliases":["GHSA-qhjf-hm5j-335w"],"modified":"2026-05-28T03:54:36.331362865Z","published":"2024-01-30T17:21:19.964Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24556.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24556.json"},{"type":"ADVISORY","url":"https://github.com/urql-graphql/urql/security/advisories/GHSA-qhjf-hm5j-335w"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24556"},{"type":"FIX","url":"https://github.com/urql-graphql/urql/commit/4b7011b70d5718728ff912d02a4dbdc7f703540d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/urql-graphql/urql","events":[{"introduced":"0"},{"fixed":"bc09338d13db9d512665e47809b9d6554da4b7ac"}]}],"versions":["v1.1.0","v1.0.5","v1.0.4","v1.0.3","v1.0.2","v1.0.1","v1.0.0","v0.3.0-next1","v0.2.1","v0.2.0","v0.1.1","v0.1.0","v0.0.11","v0.0.10","v0.0.9","v0.0.8","v0.0.7","v0.0.6","v0.0.5","v0.0.4","v0.0.3","v0.0.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-24556.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}]}