Name of the Vulnerable Software and Affected Versions Apollo Server versions prior to 2.14.2 apollo-server-core versions prior to 2.14.2 apollo-server-express versions prior to 2.14.2 apollo-server-azure-functions versions prior to 2.14.2 apollo-server-cache-memcached versions prior to 2.14.2 apollo-server-cloud-functions versions prior to 2.14.2 apollo-server-cloudflare versions prior to 2.14.2 apollo-server-fastify versions prior to 2.14.2 apollo-server-hapi versions prior to 2.14.2 apollo-server-koa versions prior to 2.14.2 apollo-server-lambda versions prior to 2.14.2 apollo-server-micro versions prior to 2.14.2

Description The issue affects Apollo Server when subscriptions: false is not explicitly passed to the constructor options, allowing for potential introspection on the WebSocket subscriptions transport even if introspection is disabled on the HTTP transport. The severity of the risk depends on whether sensitive information is stored in the schema itself. The contents of schema descriptions or secrets revealed by type or field names determine the risk. User-provided validation rules using validationRules are not enforced on the WebSocket subscriptions transport.

Recommendations To resolve the issue, update Apollo Server to version 2.14.2 or higher, ensuring both the affected integration package and the apollo-server-core package are updated to the patched versions. As a temporary workaround, consider disabling subscriptions by setting subscriptions: false in the ApolloServer constructor options to disable all subscriptions support and the WebSocket transport.