Cache Poisoning Affecting apollo-server-core package, versions >=3.0.0 <3.11.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-APOLLOSERVERCORE-3098876
  • published3 Nov 2022
  • disclosed2 Nov 2022
  • creditUnknown

Introduced: 2 Nov 2022

CVE NOT AVAILABLE CWE-524  (opens in a new tab)

How to fix?

Upgrade apollo-server-core to version 3.11.0 or higher.

Overview

apollo-server-core is a core module of the Apollo community GraphQL Server.

Affected versions of this package are vulnerable to Cache Poisoning when processing batch POST requests. The cache-control response header can be manipulated to cause data that should not be shared to be accessible by other clients via a reverse proxy such as a CDN, or by a browser.

Plugins assemble separate response headers in parallel for each operation in a batch, and then the header sets are merged together. If plugins set the same header on multiple operations, one value is chosen arbitrarily, and its cache policy is applied. This allows the responses from operations whose policy does not allow caching to be cached.

Workaround

This vulnerability can be avoided by disabling either the HTTP batching feature or the cache-control header feature.

CVSS Scores

version 3.1