GitHub Advisory DatabaseGHSA-4852-VRH7-28RFReflected XSS in GraphQL Playground
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
0.002 Low
EPSS
Percentile
52.1%
Impact
directly impacted:
graphql-playground-html@<1.6.22- all unsanitized user input forrenderPlaygroundPage()
all of our consuming packages of graphql-playground-html are impacted:
graphql-playground-middleware-express@<1.7.16- unsanitized user input toexpressPlayground()graphql-playground-middleware-koa@<1.6.15- unsanitized user input tokoaPlayground()graphql-playground-middleware-lambda@<1.7.17- unsanitized user input tolambdaPlayground()graphql-playground-middleware-hapi@<1.6.13- unsanitized user input tohapiPlayground()
as well as any other packages that use these methods with unsanitized user input.
not impacted:
graphql-playground-electron- usesrenderPlaygroundPage()statically for a webpack build for electron bundle, no dynamic user inputgraphql-playground-react- usage of the component directly in a react application does not expose reflected XSS vulnerabilities. only the demo inpublic/contains the vulnerability, because it uses an old version of the html pacakge.
Patches
upgrading to the above mentioned versions will solve the issue.
If you’re using graphql-playground-html directly, then:
yarn add graphql-playground-html@^1.6.22
or
npm install --save graphql-playground-html@^1.6.22
Then, similar steps need to be taken for each middleware:
Workarounds
Ensure you properly sanitize all user input for options you use for whatever function to initialize GraphQLPlayground:
for example, with graphql-playground-html and express:
const { sanitizeUrl } = require('@braintree/sanitize-url');
const qs = require('querystringify');
const { renderPlaygroundPage } = require('graphql-playground-html');
module.exports = (req, res, next) => {
const { endpoint } = qs.parse(req.url)
res.html(renderPlaygroundPage({endpoint: sanitizeUrl(endpoint) })).status(200)
next()
}
or, with graphql-playground-express:
const { expressPlayground } = require('graphql-playground-middleware-express');
const { sanitizeUrl } = require('@braintree/sanitize-url');
const qs = require('querystringify');
const { renderPlaygroundPage } = require('graphql-playground-html');
module.exports = (req, res, next) => {
const { endpoint } = qs.parse(req.url)
res.html(expressPlayground({endpoint: sanitizeUrl(endpoint) })).status(200)
next()
}
References
Credits
Masato Kinugawa of Cure53
For more information
If you have any questions or comments about this advisory:
- Open an issue in graphql-playground
- Email us at [email protected]
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| graphql-playground-html | lt | 1.6.22 |
References
github.com/advisories/GHSA-4852-vrh7-28rf
github.com/graphql/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf
github.com/prisma-labs/graphql-playground#security-details
github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7
github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf
nvd.nist.gov/vuln/detail/CVE-2020-4038
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
0.002 Low
EPSS
Percentile
52.1%