8 matches found
EUVD-2025-31347
Malicious code in bioql PyPI...
CVE-2025-59845 Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery CSRF vulnerability was identified. The vulnerability arises from missing orig...
CVE-2025-59845 Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery CSRF vulnerability was identified. The vulnerability arises from missing orig...
CVE-2025-59845 Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery CSRF vulnerability was identified. The vulnerability arises from missing orig...
@revisium/admin (>=1.4.0 <=2.0.0) potentially affected by CVE-2025-59845 via @apollo/sandbox (=2.7.1)
@apollo/sandbox NPM version =2.7.1 is affected by a known vulnerability. The following packages have a transitive dependency on @apollo/sandbox and may be impacted: - @revisium/admin =1.4.0, =2.0.0 Source cves: CVE-2025-59845 Source advisory: OSV:GHSA-W87V-7W53-WWXV...
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
Impact A Cross-Site Request Forgery CSRF vulnerability was identified in Apollo’s Embedded Sandbox and Embedded Explorer. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the...
@revisium/admin (>=1.4.0 <=2.0.0) potentially affected by CVE-2025-59845 via @apollo/sandbox (=2.7.1)
@apollo/sandbox NPM version =2.7.1 is affected by a known vulnerability. The following packages have a transitive dependency on @apollo/sandbox and may be impacted: - @revisium/admin =1.4.0, =2.0.0 Source cves: CVE-2025-59845 Source advisory: SNYK:JS-APOLLOSANDBOX-13110033...
Cross-site Request Forgery (CSRF)
Overview @apollo/sandbox is a This repo hosts the source for Apollo Studio's Embeddable Sandbox Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via missing origin validation in the window.postMessage process. An attacker can execute unauthorized GraphQL queries...