3.8.1
9 years ago
18 hours ago
Known vulnerabilities in the graphiql package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
graphiql is a graphical interactive in-browser GraphQL IDE. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). This package is vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a vulnerable schema in By default, the schema URL is not attacker-controllable in It should be noted that desktop clients such as Altair, Insomnia, Postwoman, do not appear to be impacted by this. This vulnerability does not impact codemirror-graphql, monaco-graphql or other dependents, as it exists in How to fix Cross-site Scripting (XSS)? Upgrade | >=0.5.0 <1.4.7 |