Name of the Vulnerable Software and Affected Versions Apollo Server versions 3.0.0 through 3.10.0

Description The default landing page in Apollo Server contains HTML to display a sample curl command. This command is made visible if the full landing page bundle cannot be fetched from Apollo's CDN. On older browsers such as IE11, the server's URL is directly interpolated into this command inside the browser from window.location.href without URI-encoding, potentially allowing execution of attacker-controlled JavaScript. This issue affects Apollo Server with the default landing page enabled.

Recommendations To resolve the issue, update to release 3.10.1 or later, where the sample curl command has been removed. As a temporary workaround, consider disabling the landing page by passing ApolloServerPluginLandingPageDisabled() to the plugins option of new ApolloServer.