Name of the Vulnerable Software and Affected Versions Apollo Server 2 versions prior to 2.25.4 Apollo Server versions that manually integrate with graphql-upload and do not have CSRF prevention enabled

Description The graphql-upload npm package can execute GraphQL operations contained in content-type: multipart/form-data POST requests, allowing JS on any origin to cause browsers to send cookie-authenticated mutations to the GraphQL server without checking the CORS policy first. This can lead to side effects of the mutation happening even if the CORS policy is set up properly. Additionally, if the GraphQL server relies on network properties for security, JS on any origin can cause browsers to send mutations to the server, which will be executed without checking the CORS policy first.

Recommendations For Apollo Server 2 versions prior to 2.25.4 that do not use uploads, upgrade to Apollo Server 2.25.4 to automatically disable graphql-upload. For Apollo Server 2 versions that use uploads, upgrade to Apollo Server 3.7 and enable the CSRF prevention feature. For Apollo Server versions that manually integrate with graphql-upload, enable some sort of CSRF prevention feature, such as the CSRF prevention feature in Apollo Server 3.7. As a temporary workaround, specify uploads: false to new ApolloServer to disable the graphql-upload integration and protect against CSRF mutations, but note that this will still leave the server vulnerable to non-mutation CSRF attacks.