CVE-2024-23841: 
JavaScript vulnerability analysis and mitigation

The @apollo/experimental-apollo-client-nextjs NPM package, which provides Apollo Client support for the Next.js App Router, was found to contain a cross-site scripting (XSS) vulnerability. The vulnerability was discovered on January 30, 2024, and affects all versions up to and including 0.6.0 (GitHub Advisory).

The vulnerability stems from improper handling of untrusted input during server-side rendering of HTML pages. The issue has been assigned CVE-2024-23841 and received a CVSS v3.1 base score of 8.2 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N, indicating a network-exploitable vulnerability requiring no privileges or user interaction (NVD).

An attacker could exploit this vulnerability by either injecting malicious input through specifically-crafted links or by arranging to have malicious input returned by a GraphQL server (e.g., by persisting it in a database). The successful exploitation could lead to cross-site scripting attacks (GitHub Advisory).

The vulnerability has been fixed in version 0.7.0 of the package by implementing appropriate escaping to prevent JavaScript injection into rendered pages. Users are strongly advised to update to version 0.7.0 or later, as there are no known workarounds for this issue (GitHub Advisory).