High severityNVD Advisory· Published Jan 30, 2024· Updated Jun 17, 2025
XSS in @apollo/experimental-nextjs-app-support
CVE-2024-23841
Description
apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input (e.g. by redirecting a user to a specifically-crafted link) or arrange to have malicious input be returned by a GraphQL server (e.g. by persisting it in a database). To fix this issue, please update to version 0.7.0 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@apollo/experimental-nextjs-app-supportnpm | < 0.7.0 | 0.7.0 |
Affected products
2- Range: < 0.7.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-rv8p-rr2h-fgpgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23841ghsaADVISORY
- github.com/apollographql/apollo-client-nextjs/commit/b92bc42abd5f8e17d4db361c36bd08e4f541a46bghsax_refsource_MISCWEB
- github.com/apollographql/apollo-client-nextjs/security/advisories/GHSA-rv8p-rr2h-fgpgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.