Description
apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input (e.g. by redirecting a user to a specifically-crafted link) or arrange to have malicious input be returned by a GraphQL server (e.g. by persisting it in a database). To fix this issue, please update to version 0.7.0 or later.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/apollographql/apollo-client-nextjs/security/advisories/GHSA-rv8p-rr2h-fgpg
Scores
CVSS v3
8.2
EPSS
0.0050
EPSS Percentile
65.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-80
Status
published
Products (2)
apollo/experimental-nextjs-app-support
0 - 0.7.0npm
apollographql/apollo_client
< 0.7.0
Published
Jan 30, 2024
Tracked Since
Feb 18, 2026