Name of the Vulnerable Software and Affected Versions Apollo Server versions prior to the latest version

Description The issue concerns Apollo Server logging sensitive information, specifically Studio API keys, under certain conditions. This occurs when API keys are passed with leading or trailing whitespace or contain invalid characters for header values. Users are impacted if they utilize either schema reporting or usage reporting features, have an Apollo Studio API key with invalid header values, and use the default fetcher (node-fetch) or a configured node-fetch fetcher. The problem can lead to errors being logged, potentially exposing the API key.

Recommendations For Apollo Server versions prior to the latest version: Update to the latest version of Apollo Server, which includes patches for this issue. As a temporary workaround, consider retrieving a new API key from Studio, overriding the fetcher, or disabling schema reporting and/or usage reporting to minimize the risk of exploitation.