Information Exposure Affecting apollo-server-core package, versions <2.26.1>=3.0.0 <3.12.1


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-APOLLOSERVERCORE-5876618
  • published31 Aug 2023
  • disclosed30 Aug 2023
  • creditUnknown

Introduced: 30 Aug 2023

CVE NOT AVAILABLE CWE-200  (opens in a new tab)

How to fix?

Upgrade apollo-server-core to version 2.26.1, 3.12.1 or higher.

Overview

apollo-server-core is a core module of the Apollo community GraphQL Server.

Affected versions of this package are vulnerable to Information Exposure when it can log sensitive information, such as Studio API keys, if they are passed incorrectly with leading/trailing whitespace or if they have any characters that are invalid as part of a header value.

Note Users are affected only if all the conditions are true:

  • Use either the schema reporting or usage reporting feature.

  • Use an Apollo Studio API key which has invalid header values.

  • Use the default fetcher (node-fetch) or configure their own node-fetch fetcher

Workaround

  1. Try retrieving a new API key from Studio. Note: This may not work if the invalid character is not part of the secret (it may be derived from identifiers like graph name, user name).

  2. Override the fetcher

  3. Disable schema reporting and/or usage reporting

CVSS Scores

version 3.1