In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade apollo-server-core
to version 3.11.0 or higher.
apollo-server-core is a core module of the Apollo community GraphQL Server.
Affected versions of this package are vulnerable to Cache Poisoning when processing batch POST requests. The cache-control
response header can be manipulated to cause data that should not be shared to be accessible by other clients via a reverse proxy such as a CDN, or by a browser.
Plugins assemble separate response headers in parallel for each operation in a batch, and then the header sets are merged together. If plugins set the same header on multiple operations, one value is chosen arbitrarily, and its cache policy is applied. This allows the responses from operations whose policy does not allow caching to be cached.
This vulnerability can be avoided by disabling either the HTTP batching feature or the cache-control
header feature.