Information Exposure Affecting apollo-server-core package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Information Exposure vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-APOLLOSERVERCORE-15790567
- published27 Mar 2026
- disclosed26 Mar 2026
- creditAmirMohammad Safari
Introduced: 26 Mar 2026
New CVE NOT AVAILABLE CWE-200 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
apollo-server-core is a core module of the Apollo community GraphQL Server.
Affected versions of this package are vulnerable to Information Exposure in the request handling process. An attacker can infer sensitive information about server responses by issuing specially crafted authenticated GraphQL queries across origins using a browser with a specific CORS implementation bug, allowing them to analyze response times and deduce facts such as whether fields return null or the approximate number of list entries returned from fields.
Note:
This is only exploitable if the server relies on cookies or HTTP Basic Auth for authentication and the attack is performed from a browser affected by the CORS bug.
Workaround
This vulnerability can be mitigated by blocking any HTTP request with a Content-Type header containing message/ from reaching the server, for example by adding middleware or a proxy rule to reject such requests.