apollo-server-core@3.6.4 vulnerabilities

Core engine for Apollo GraphQL server

Direct Vulnerabilities

Known vulnerabilities in the apollo-server-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • L
Information Exposure

apollo-server-core is a core module of the Apollo community GraphQL Server.

Affected versions of this package are vulnerable to Information Exposure when it can log sensitive information, such as Studio API keys, if they are passed incorrectly with leading/trailing whitespace or if they have any characters that are invalid as part of a header value.

Note Users are affected only if all the conditions are true:

  • Use either the schema reporting or usage reporting feature.

  • Use an Apollo Studio API key which has invalid header values.

  • Use the default fetcher (node-fetch) or configure their own node-fetch fetcher

How to fix Information Exposure?

Upgrade apollo-server-core to version 2.26.1, 3.12.1 or higher.

<2.26.1 >=3.0.0 <3.12.1
  • M
Cache Poisoning

apollo-server-core is a core module of the Apollo community GraphQL Server.

Affected versions of this package are vulnerable to Cache Poisoning when processing batch POST requests. The cache-control response header can be manipulated to cause data that should not be shared to be accessible by other clients via a reverse proxy such as a CDN, or by a browser.

Plugins assemble separate response headers in parallel for each operation in a batch, and then the header sets are merged together. If plugins set the same header on multiple operations, one value is chosen arbitrarily, and its cache policy is applied. This allows the responses from operations whose policy does not allow caching to be cached.

How to fix Cache Poisoning?

Upgrade apollo-server-core to version 3.11.0 or higher.

>=3.0.0 <3.11.0
  • M
Cross-site Scripting (XSS)

apollo-server-core is a core module of the Apollo community GraphQL Server.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ApolloServerPluginLandingPageDefault() function in index.ts. When displaying a sample curl command on the default landing page, some browsers interpolate a received URL without escaping if it can't be fetched from the Apollo CDN.

NOTE: Several conditions must be met for this vulnerability to be exploited.

  1. The affected user must use a browser like IE11, which doesn't URL-encode URLs retrieved from window.location.href.

  2. The Apollo Server default landing page is enabled by passing ApolloServerPluginLandingPageLocalDefault(), ApolloServerPluginLandingPageProductionDefault(), or no value to the plugins option of new ApolloServer.

How to fix Cross-site Scripting (XSS)?

Upgrade apollo-server-core to version 3.10.1 or higher.

>=3.0.0 <3.10.1
  • H
Denial of Service (DoS)

apollo-server-core is a core module of the Apollo community GraphQL Server.

Affected versions of this package are vulnerable to Denial of Service (DoS) by accepting an unbounded amount of memory in the cache.

NOTE: The size of a cache can be limited with the cache: "bounded" option as of version 3.9.0.

How to fix Denial of Service (DoS)?

Upgrade apollo-server-core to version 3.9.0 or higher.

<3.9.0