CVE-2024-24558: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2024-24558) affects the @tanstack/react-query-next-experimental NPM package, discovered and disclosed on January 30, 2024. This security issue is identified as a cross-site scripting (XSS) vulnerability that impacts versions 5.0.0 through 5.18.0 of the package (GitHub Advisory).

The vulnerability stems from improper handling of untrusted input during server-side rendering of HTML pages. The issue has been assigned a CVSS v3.1 base score of 8.2 (High severity), with attack vector being Network, attack complexity Low, requiring no privileges or user interaction. The vulnerability is categorized as CWE-79, which is typically associated with cross-site scripting attacks (GitHub Advisory).

The vulnerability could allow attackers to execute cross-site scripting attacks by either injecting malicious input directly or arranging for malicious input to be returned from an endpoint. This could potentially lead to high impact on confidentiality and low impact on integrity of the affected systems (GitHub Advisory).

The vulnerability has been patched in version 5.18.0 of the package. Users are strongly advised to update to version 5.18.0 or later, as there are no known workarounds for this security issue. The fix implements appropriate escaping mechanisms to prevent JavaScript injection into rendered pages (GitHub Advisory, FortiGuard Labs).