PT-2021-23212 · Graphql+1 · Graphql+2
Ry0Tak
·
Published
2021-11-04
·
Updated
2024-11-08
·
CVE-2021-41248
CVSS v3.1
7.1
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
graphiql versions prior to 1.4.7
graphql-playground-react versions prior to 1.7.28
Description
The vulnerability allows for compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a vulnerable schema in graphiql or graphql-playground. By default, the schema URL is not attacker-controllable, leaving only very complex attack vectors. However, if a custom implementation allows the schema URL to be set dynamically, it becomes vulnerable to phishing attacks and low or no privilege level XSS attacks. The vulnerability affects all forks of graphiql and every released version of graphiql, but does not impact codemirror-graphql, monaco-graphql, or other dependents.
Recommendations
- For graphiql versions prior to 1.4.7, upgrade to version 1.4.7 or later.
- For graphql-playground-react versions prior to 1.7.28, upgrade to version 1.7.28 or later.
- If you are using graphql-playground-html or a package which starts with graphql-playground-middleware- in your server and you are passing the version option to a function imported from that package, change that version option to be at least "1.7.28".
- If you are using graphql-playground-html or a package which starts with graphql-playground-middleware- in your server and you are NOT passing the version option to a function imported from that package, no action is necessary; your app automatically loads the latest version of graphql-playground-react from CDN.
- Always use a static URL to a trusted server that is serving a trusted GraphQL schema.
- If you have a custom implementation that allows using user-provided schema URLs via a query parameter, database value, etc, you must either disable this customization, or only allow trusted URLs.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Graphql
Graphql-Playground-Html
Graphql-Playground-React