Name of the Vulnerable Software and Affected Versions Apollo Server versions prior to 4.7.4

Description The issue concerns the improper application of Content Security Policies (CSP) in Apollo Server's landing pages, which could fail to prevent XSS attacks if a viable attack vector exists. Although no XSS attack vectors are known, unreported and unpatched vectors could pose a risk to all users of Apollo Server's landing pages. The initial CSP implementation in version 4.7.1 reused nonces, which did not implement CSP in a safe or conventional way.

Recommendations For Apollo Server versions prior to 4.7.4, update to version 4.7.4 to resolve the issue. As a temporary workaround, consider disabling the landing page completely until the patch can be upgraded to, by following the instructions at https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/#disabling-the-landing-page.