CVE-2020-4038

Name of the Vulnerable Software and Affected Versions graphql-playground-html versions prior to 1.6.22 graphql-playground-middleware-express versions prior to 1.7.16 graphql-playground-middleware-koa versions prior to 1.6.15 graphql-playground-middleware-lambda versions prior to 1.7.17 graphql-playground-middleware-hapi versions prior to 1.6.13

Description The issue is related to a severe XSS Reflection attack vulnerability. All unsanitized user input passed into the renderPlaygroundPage() method could trigger this vulnerability. The vulnerability affects not only graphql-playground-html but also its dependent middleware packages.

Recommendations To resolve the issue for graphql-playground-html, update to version 1.6.22 or later by running yarn add graphql-playground-html@^1.6.22 or npm install --save graphql-playground-html@^1.6.22. For graphql-playground-middleware-express, follow the security upgrade steps at https://www.npmjs.com/package/graphql-playground-middleware-express#security-upgrade-steps to upgrade to version 1.7.16 or later. For graphql-playground-middleware-koa, follow the security upgrade steps at https://www.npmjs.com/package/graphql-playground-middleware-koa#security-upgrade-steps to upgrade to version 1.6.15 or later. For graphql-playground-middleware-lambda, follow the security upgrade steps at https://www.npmjs.com/package/graphql-playground-middleware-lambda#security-upgrade-steps to upgrade to version 1.7.17 or later. For graphql-playground-middleware-hapi, follow the security upgrade steps at https://www.npmjs.com/package/graphql-playground-middleware-hapi#security-upgrade-steps to upgrade to version 1.6.13 or later. As a temporary workaround, ensure you properly sanitize all user input for options used to initialize GraphQLPlayground. For example, use the sanitizeUrl function from @braintree/sanitize-url to sanitize the endpoint variable before passing it to renderPlaygroundPage() or other affected functions.