CVE-2024-23841 – CVE-2024-23841 is a cross-site scripting vulner... (How to Fix)

Q: What is the severity of CVE-2024-23841?

CVE-2024-23841 has a CVSS score of 8.2 (HIGH). CVE-2024-23841 is a cross-site scripting vulnerability in the @apollo/experimental-apollo-client-nextjs NPM package that allows attackers to execute arbitrary JavaScript in users' browsers. This affects applications using Apollo Client with Next.js App Router that handle untrusted GraphQL data or user inputs. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

CVE-2024-23841 is a cross-site scripting vulnerability in the @apollo/experimental-apollo-client-nextjs NPM package that allows attackers to execute arbitrary JavaScript in users' browsers. This affects applications using Apollo Client with Next.js App Router that handle untrusted GraphQL data or user inputs. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

@apollo/experimental-apollo-client-nextjs

Versions: Versions before 0.7.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Next.js applications using Apollo Client with the App Router architecture.

📦 What is this software?

Apollo Client by Apollographql

View all CVEs affecting Apollo Client →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data theft, and malicious actions performed on behalf of authenticated users through persistent XSS attacks.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions within the affected application.

🟢

If Mitigated

Limited impact with proper content security policies and input validation, though still potentially dangerous.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires either malicious user input injection or compromised GraphQL server responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.0 or later

Vendor Advisory: https://github.com/apollographql/apollo-client-nextjs/security/advisories/GHSA-rv8p-rr2h-fgpg

Restart Required: Yes

Instructions:

1. Update package.json to use @apollo/experimental-apollo-client-nextjs version 0.7.0 or higher. 2. Run npm update or yarn upgrade. 3. Restart your Next.js application server.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add strict CSP headers to prevent script execution from untrusted sources

Input Validation and Sanitization

all

Implement server-side validation and sanitization of all GraphQL responses and user inputs

🧯 If You Can't Patch

Implement strict Content Security Policy with script-src directives
Add input validation and output encoding for all user-controlled data

🔍 How to Verify

Check if Vulnerable:

Check package.json for @apollo/experimental-apollo-client-nextjs version below 0.7.0

Check Version:

npm list @apollo/experimental-apollo-client-nextjs

Verify Fix Applied:

Verify package.json shows version 0.7.0 or higher and test application functionality

📡 Detection & Monitoring

Log Indicators:

Unusual GraphQL query patterns
JavaScript execution errors in browser logs
Unexpected redirects or cookie access

Network Indicators:

Suspicious script tags in HTTP responses
Unusual outbound connections from client browsers

SIEM Query:

source="web_server" AND ("script" OR "javascript") AND status=200 AND uri="*graphql*"

📊 Metadata

CVE ID: CVE-2024-23841

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-80

Published: January 30, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23841, you might also want to check these: