Information Exposure Affecting @apollo/server package, versions <4.9.3


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-APOLLOSERVER-5876619
  • published 31 Aug 2023
  • disclosed 30 Aug 2023
  • credit Unknown

Introduced: 30 Aug 2023

CVE NOT AVAILABLE CWE-200 Open this link in a new tab

How to fix?

Upgrade @apollo/server to version 4.9.3 or higher.

Overview

@apollo/server is a spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. Successor to apollo-server-core, et al.

Affected versions of this package are vulnerable to Information Exposure when it can log sensitive information, such as Studio API keys, if they are passed incorrectly with leading/trailing whitespace or if they have any characters that are invalid as part of a header value.

Note Users are affected only if all the conditions are true:

  • Use either the schema reporting or usage reporting feature.

  • Use an Apollo Studio API key which has invalid header values.

  • Use the default fetcher (node-fetch) or configure their own node-fetch fetcher

Workaround

  1. Try retrieving a new API key from Studio. Note: This may not work if the invalid character is not part of the secret (it may be derived from identifiers like graph name, user name).

  2. Override the fetcher

  3. Disable schema reporting and/or usage reporting

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
3.7 low
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None