Cache Poisoning Affecting @apollo/server package, versions <4.1.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-APOLLOSERVER-3098875
- published 3 Nov 2022
- disclosed 2 Nov 2022
- credit Unknown
How to fix?
Upgrade @apollo/server to version 4.1.0 or higher.
Overview
@apollo/server is a spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. Successor to apollo-server-core, et al.
Affected versions of this package are vulnerable to Cache Poisoning when processing batch POST requests. The cache-control response header can be manipulated to cause data that should not be shared to be accessible by other clients via a reverse proxy such as a CDN, or by a browser.
Plugins assemble separate response headers in parallel for each operation in a batch, and then the header sets are merged together. If plugins set the same header on multiple operations, one value is chosen arbitrarily, and its cache policy is applied. This allows the responses from operations whose policy does not allow caching to be cached.
Workaround
This vulnerability can be avoided by disabling either the HTTP batching feature or the cache-control header feature.