CVE-2021-41249

Name of the Vulnerable Software and Affected Versions graphql-playground-react versions prior to 1.7.28 graphiql versions prior to 1.4.7

Description The vulnerability allows for compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. This can occur when a user loads a malicious schema in graphql-playground or graphiql, potentially through specifying a URL to a malicious schema in the endpoint query parameter. If a user clicks on a link to a GraphQL Playground or graphiql installation that specifies a malicious server, arbitrary JavaScript can run in the user's browser, which can be used to exfiltrate user credentials or other harmful goals.

Recommendations If you are using graphql-playground-react directly in your client app, upgrade to version 1.7.28 or later. If you are using graphql-playground-html or a package which starts with graphql-playground-middleware- in your server and you are passing the version option to a function imported from that package, change that version option to be at least "1.7.28". If you are using graphql-playground-html or a package which starts with graphql-playground-middleware- in your server and you are NOT passing the version option to a function imported from that package, no action is necessary; your app automatically loads the latest version of graphql-playground-react from CDN. If you are using graphiql, upgrade to version 1.4.7 or later. Always use a static URL to a trusted server that is serving a trusted GraphQL schema. If you have a custom implementation that allows using user-provided schema URLs via a query parameter, database value, etc, you must either disable this customization, or only allow trusted URLs.