@apollo/server@4.3.0 vulnerabilities

Core engine for Apollo GraphQL server

latest version

4.11.2
latest non vulnerable version

4.11.2
first published

5 years ago
latest version published

23 days ago
licenses detected
- MIT
  >=0
View @apollo/server package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the @apollo/server package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
L Information Exposure @apollo/server is a spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. Successor to apollo-server-core, et al. Affected versions of this package are vulnerable to Information Exposure when it can log sensitive information, such as Studio API keys, if they are passed incorrectly with leading/trailing whitespace or if they have any characters that are invalid as part of a header value. Note Users are affected only if all the conditions are true: Use either the schema reporting or usage reporting feature. Use an Apollo Studio API key which has invalid header values. Use the default fetcher (`node-fetch`) or configure their own `node-fetch` fetcher How to fix Information Exposure? Upgrade `@apollo/server` to version 4.9.3 or higher.	<4.9.3
L Cross-site Scripting (XSS) @apollo/server is a spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. Successor to apollo-server-core, et al. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper application of Content Security Policies (CSP), which fails to prevent XSS in the event that there is a viable attack vector for an XSS attack. How to fix Cross-site Scripting (XSS)? Upgrade `@apollo/server` to version 4.7.4 or higher.	>=4.0.0 <4.7.4

Information Exposure

@apollo/server is a spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. Successor to apollo-server-core, et al.

Affected versions of this package are vulnerable to Information Exposure when it can log sensitive information, such as Studio API keys, if they are passed incorrectly with leading/trailing whitespace or if they have any characters that are invalid as part of a header value.

Note Users are affected only if all the conditions are true:

Use either the schema reporting or usage reporting feature.
Use an Apollo Studio API key which has invalid header values.
Use the default fetcher (node-fetch) or configure their own node-fetch fetcher

How to fix Information Exposure?

Upgrade @apollo/server to version 4.9.3 or higher.

<4.9.3

Cross-site Scripting (XSS)

@apollo/server is a spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. Successor to apollo-server-core, et al.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper application of Content Security Policies (CSP), which fails to prevent XSS in the event that there is a viable attack vector for an XSS attack.

How to fix Cross-site Scripting (XSS)?

Upgrade @apollo/server to version 4.7.4 or higher.

>=4.0.0 <4.7.4

Go back to all versions of this package

@apollo/server@4.3.0 vulnerabilities

Core engine for Apollo GraphQL server

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities