Name of the Vulnerable Software and Affected Versions: Apollo Server versions prior to 2.25.3 Apollo Server versions prior to 3.4.1

Description: A cross-site scripting vulnerability exists in GraphQL Playground, which is served by Apollo Server in certain configurations. This vulnerability allows for arbitrary JavaScript code execution in the web server's origin, potentially leading to the theft of cookies and other private browser data. The impact is more severe if the GraphQL server's origin URL is used to store sensitive data.

The estimated number of potentially affected devices is not specified. However, the vulnerability can be exploited if a user clicks a specially crafted link to the GraphQL Playground page served by Apollo Server.

Technical details about exploitation include the use of ApolloServerPluginLandingPageGraphQLPlayground in Apollo Server 3 and the playground option in Apollo Server 2.

Recommendations: For Apollo Server versions prior to 2.25.3, upgrade to version 2.25.3 or later. For Apollo Server versions prior to 3.4.1, upgrade to version 3.4.1 or later. As a temporary workaround, consider disabling GraphQL Playground by removing the ApolloServerPluginLandingPageGraphQLPlayground call in Apollo Server 3 or setting playground: false in Apollo Server 2. Alternatively, configure Apollo Server to serve the latest version of the GraphQL Playground app by setting the version option to 1.7.42.