Cache Poisoning Affecting @apollo/server package, versions <4.1.0


Severity

0.0
medium
0
10

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-APOLLOSERVER-3098875
  • published 3 Nov 2022
  • disclosed 2 Nov 2022
  • credit Unknown

Introduced: 2 Nov 2022

CVE NOT AVAILABLE CWE-524 Open this link in a new tab

How to fix?

Upgrade @apollo/server to version 4.1.0 or higher.

Overview

@apollo/server is a spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. Successor to apollo-server-core, et al.

Affected versions of this package are vulnerable to Cache Poisoning when processing batch POST requests. The cache-control response header can be manipulated to cause data that should not be shared to be accessible by other clients via a reverse proxy such as a CDN, or by a browser.

Plugins assemble separate response headers in parallel for each operation in a batch, and then the header sets are merged together. If plugins set the same header on multiple operations, one value is chosen arbitrarily, and its cache policy is applied. This allows the responses from operations whose policy does not allow caching to be cached.

Workaround

This vulnerability can be avoided by disabling either the HTTP batching feature or the cache-control header feature.

CVSS Scores

version 3.1
Expand this section

Snyk

6.5 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None