88 matches found
ROOT-APP-NPM-CVE-2026-23897 CVE-2026-23897 in @rootio/apollo__server - Patched by Root
Root has patched CVE-2026-23897 in the @rootio/apolloserver package for Root:npm. Multiple fixed versions available...
Apollo MCP Server 访问控制错误漏洞
The Apollo MCP Server is an open-source service from Apollo GraphQL that exposes GraphQL operations as AI tools. Versions of the Apollo MCP Server prior to 1.7.0 contained a access control vulnerability. This vulnerability stemmed from the lack of validation of the Host header in incoming HTTP...
ROOT-APP-NPM-GHSA-9Q82-XGWF-VJ6H GHSA-9q82-xgwf-vj6h in @rootio/@apollo/server - Patched by Root
Root has patched GHSA-9q82-xgwf-vj6h in the @rootio/@apollo/server package for Root:npm. Multiple fixed versions available...
@2ly/runtime (>=0.0.3 <=0.2.5), @aa.tamura/lib-gqf (>=0.0.1 <=0.0.5) +551 more potentially affected by unknown CVE via @apollo/server (>=4.10.0 <=5.4.0)
@apollo/server NPM version =4.10.0, =0.0.3, =0.0.1, =0.0.0, =0.0.9, =1.0.6, =0.0.4, =0.0.29, =0.0.4, =0.0.4, =0.0.29, =0.0.32, =1.1.1, =4.1.0, =0.0.0, =0.2.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-9Q82-XGWF-VJ6H...
2mxdev-gql-gateway (=1.0.0), 4m-node-server (>=0.0.1 <=0.0.8) +3178 more potentially affected by unknown CVE via apollo-server-core (>=1.3.2 <=3.9.0)
apollo-server-core NPM version =1.3.2, =0.0.1, =1.0.2, =0.0.80, =3.10.1, =1.2.0-pre.24, =1.0.1, =1.0.0, =1.0.0, =0.5.0, =1.0.0, =0.1.3, =0.0.1, =0.1.1, =0.0.1, =0.0.5 and more Source cves: unknown CVE Source advisory: SNYK:JS-APOLLOSERVERCORE-15790567...
Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention
Impact In a Cross-Site Request Forgery attack, untrusted web content causes browsers to send authenticated requests to web servers which use cookies for authentication. While the web content is prevented from reading the request's response due to the Cross-Origin Request Sharing CORS protocol, an...
2mxdev-gql-gateway (=1.0.0), 4m-node-server (>=0.0.1 <=0.0.8) +3174 more potentially affected by unknown CVE via apollo-server-core (>=1.3.2 <=3.13.0)
apollo-server-core NPM version =1.3.2, =0.0.1, =1.0.2, =0.0.80, =3.10.1, =1.2.0-pre.24, =1.0.1, =1.0.0, =1.0.0, =0.5.0, =1.0.0, =0.1.3, =0.1.0, =0.4.52, =0.0.1, =0.0.5 and more Source cves: unknown CVE Source advisory: OSV:GHSA-9Q82-XGWF-VJ6H...
GHSA-9Q82-XGWF-VJ6H Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention
Impact In a Cross-Site Request Forgery attack, untrusted web content causes browsers to send authenticated requests to web servers which use cookies for authentication. While the web content is prevented from reading the request's response due to the Cross-Origin Request Sharing CORS protocol, an...
@apollo/server-integration-testsuite (>=5.0.0 <=5.4.0), @commitspark/graphql-api (>=1.0.0-beta.3 <=1.0.0-beta.6) +24 more potentially affected by unknown CVE via @apollo/server (>=5.0.0-rc.0 <=5.4.0)
@apollo/server NPM version =5.0.0-rc.0, =5.0.0, =1.0.0-beta.3, =1.217.0, =2.20.2, =2.20.2, =2.20.2, =2.20.2, =0.2.3, =2.20.2, =2.20.2, =2.20.2, =2.20.2, =2.20.2, =2.20.2, =2.22.0 and more Source cves: unknown CVE Source advisory: SNYK:JS-APOLLOSERVER-15790568...
Information Exposure
Overview apollo-server-core is a core module of the Apollo community GraphQL Server. Affected versions of this package are vulnerable to Information Exposure in the request handling process. An attacker can infer sensitive information about server responses by issuing specially crafted...
CVE-2026-23897
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone...
CVE-2026-23897
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone...
CVE-2026-23897 Apollo Server is vulnerable to denial of service with `startStandaloneServer`
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone...
CVE-2026-23897
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone...
CVE-2026-23897 Apollo Server is vulnerable to denial of service with `startStandaloneServer`
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone...
CVE-2026-23897
CVE-2026-23897 affects Apollo Server when using the default configuration of startStandaloneServer from @apollo/server/standalone. Versions 2.0.0–3.13.0, 4.2.0–before 4.13.0, and 5.0.0–before 5.4.0 are vulnerable to Denial of Service via specially crafted request bodies with exotic character set ...
CVE-2026-23897 Apollo Server is vulnerable to denial of service with `startStandaloneServer`
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone...
EUVD-2026-5364
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone...
@apollo/server-integration-testsuite (>=5.0.0 <=5.3.0), @commitspark/graphql-api (>=1.0.0-beta.3 <=1.0.0-beta.6) +22 more potentially affected by CVE-2026-23897 via @apollo/server (>=5.0.0 <=5.3.0)
@apollo/server NPM version =5.0.0, =5.0.0, =1.0.0-beta.3, =1.217.0, =2.20.2, =2.20.2, =2.20.2, =2.20.2, =2.20.2, =2.20.2, =2.20.2, =2.20.2, =2.20.2, =2.20.2, =2.20.2, =2.21.0 and more Source cves: CVE-2026-23897 Source advisory: OSV:GHSA-MP6Q-XF9X-FWF7...
4m-node-server (>=0.0.1 <=0.0.8), @2109-t5/server (>=1.0.0 <=1.0.9) +985 more potentially affected by CVE-2026-23897 via apollo-server (>=0.1.5 <=3.9.0)
apollo-server NPM version =0.1.5, =0.0.1, =1.0.0, =0.5.0, =0.0.1, =0.1.1, =0.0.1, =1.0.7, =0.4.0-alpha.0, =10.4.0, =9.0.0, =10.0.0, =11.2.0 and more Source cves: CVE-2026-23897 Source advisory: SNYK:JS-APOLLOSERVER-15208674...