Information Exposure Affecting apollo-server-core package, versions <2.26.1 >=3.0.0 <3.12.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-APOLLOSERVERCORE-5876618
- published 31 Aug 2023
- disclosed 30 Aug 2023
- credit Unknown
How to fix?
Upgrade apollo-server-core to version 2.26.1, 3.12.1 or higher.
Overview
apollo-server-core is a core module of the Apollo community GraphQL Server.
Affected versions of this package are vulnerable to Information Exposure when it can log sensitive information, such as Studio API keys, if they are passed incorrectly with leading/trailing whitespace or if they have any characters that are invalid as part of a header value.
Note Users are affected only if all the conditions are true:
Use either the schema reporting or usage reporting feature.
Use an Apollo Studio API key which has invalid header values.
Use the default fetcher (
node-fetch) or configure their ownnode-fetchfetcher
Workaround
Try retrieving a new API key from Studio. Note: This may not work if the invalid character is not part of the secret (it may be derived from identifiers like graph name, user name).
Override the
fetcherDisable schema reporting and/or usage reporting