CVE-2025-59845

Name of the Vulnerable Software and Affected Versions Apollo Studio Embeddable Explorer versions prior to 3.7.3 Apollo Studio Embeddable Sandbox versions prior to 2.7.2

Description A cross-site request forgery (CSRF) issue was identified in Apollo Studio Embeddable Explorer and Embeddable Sandbox. The root cause is the lack of origin validation in the client-side code when handling window.postMessage events. A malicious website can send crafted messages to the embedding page, potentially causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies. The vulnerability allows a malicious website to force the vulnerable website to send GraphQL requests to its origin. The requests appear legitimate, but their contents are dictated by the malicious website. The malicious website cannot read the responses to the GraphQL operations, but the operations may have side effects, such as updating data access controls.

Recommendations Update to Apollo Studio Embeddable Explorer version 3.7.3 or later. Update to Apollo Studio Embeddable Sandbox version 2.7.2 or later. If using Apollo Server, ensure NODE ENV=production is set in production to avoid unintentionally serving embedded Sandbox.