apollo-server-core 1.0.3-tracing.2

Direct Vulnerabilities

Known vulnerabilities in the apollo-server-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Information Exposure apollo-server-core is a core module of the Apollo community GraphQL Server. Affected versions of this package are vulnerable to Information Exposure in the request handling process. An attacker can infer sensitive information about server responses by issuing specially crafted authenticated GraphQL queries across origins using a browser with a specific CORS implementation bug, allowing them to analyze response times and deduce facts such as whether fields return null or the approximate number of list entries returned from fields. Note: This is only exploitable if the server relies on cookies or HTTP Basic Auth for authentication and the attack is performed from a browser affected by the CORS bug. How to fix Information Exposure? A fix was pushed into the `master` branch but not yet published.	*
L Information Exposure apollo-server-core is a core module of the Apollo community GraphQL Server. Affected versions of this package are vulnerable to Information Exposure when it can log sensitive information, such as Studio API keys, if they are passed incorrectly with leading/trailing whitespace or if they have any characters that are invalid as part of a header value. Note Users are affected only if all the conditions are true: Use either the schema reporting or usage reporting feature. Use an Apollo Studio API key which has invalid header values. Use the default fetcher (`node-fetch`) or configure their own `node-fetch` fetcher How to fix Information Exposure? Upgrade `apollo-server-core` to version 2.26.1, 3.12.1 or higher.	<2.26.1>=3.0.0 <3.12.1
H Denial of Service (DoS) apollo-server-core is a core module of the Apollo community GraphQL Server. Affected versions of this package are vulnerable to Denial of Service (DoS) by accepting an unbounded amount of memory in the cache. NOTE: The size of a cache can be limited with the `cache: "bounded"` option as of version 3.9.0. How to fix Denial of Service (DoS)? Upgrade `apollo-server-core` to version 3.9.0 or higher.	<3.9.0
H Information Exposure apollo-server-core is a core module of the Apollo community GraphQL Server. Affected versions of this package are vulnerable to Information Exposure. It does not properly enforce validation rules when creating subscription servers, which includes a `NoInstrospection` rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names. How to fix Information Exposure? Upgrade `apollo-server-core` to version 2.14.2 or higher.	<2.14.2

Vulnerability

Vulnerable Version

Information Exposure

apollo-server-core is a core module of the Apollo community GraphQL Server.

Affected versions of this package are vulnerable to Information Exposure in the request handling process. An attacker can infer sensitive information about server responses by issuing specially crafted authenticated GraphQL queries across origins using a browser with a specific CORS implementation bug, allowing them to analyze response times and deduce facts such as whether fields return null or the approximate number of list entries returned from fields.

Note:

This is only exploitable if the server relies on cookies or HTTP Basic Auth for authentication and the attack is performed from a browser affected by the CORS bug.

How to fix Information Exposure?

A fix was pushed into the master branch but not yet published.

Information Exposure

apollo-server-core is a core module of the Apollo community GraphQL Server.

Affected versions of this package are vulnerable to Information Exposure when it can log sensitive information, such as Studio API keys, if they are passed incorrectly with leading/trailing whitespace or if they have any characters that are invalid as part of a header value.

Note Users are affected only if all the conditions are true:

Use either the schema reporting or usage reporting feature.
Use an Apollo Studio API key which has invalid header values.
Use the default fetcher (node-fetch) or configure their own node-fetch fetcher

How to fix Information Exposure?

Upgrade apollo-server-core to version 2.26.1, 3.12.1 or higher.

<2.26.1>=3.0.0 <3.12.1

Denial of Service (DoS)

apollo-server-core is a core module of the Apollo community GraphQL Server.

Affected versions of this package are vulnerable to Denial of Service (DoS) by accepting an unbounded amount of memory in the cache.

NOTE: The size of a cache can be limited with the cache: "bounded" option as of version 3.9.0.

How to fix Denial of Service (DoS)?

Upgrade apollo-server-core to version 3.9.0 or higher.

<3.9.0

Information Exposure

apollo-server-core is a core module of the Apollo community GraphQL Server.

Affected versions of this package are vulnerable to Information Exposure. It does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names.

How to fix Information Exposure?

Upgrade apollo-server-core to version 2.14.2 or higher.

<2.14.2

apollo-server-core@1.0.3-tracing.2

Core engine for Apollo GraphQL server

latest version

first published

latest version published

deprecated

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically