The graphql-upload library included in Apollo Server 2 is vulnerable to CSRF mutations

Impact The graphql-upload npm package can execute GraphQL operations contained in content-type: multipart/form-data POST requests. Because they are POST requests, they can contain GraphQL mutations. Because they use content-type: multipart/form-data, they can be "simple requests" which are not...

PT-2022-28174 · Apollo · Apollo Server 2 +1

Name of the Vulnerable Software and Affected Versions: Apollo Server 2 versions prior to 2.25.4 Apollo Server versions that manually integrate with graphql-upload and do not have CSRF prevention enabled Description: The graphql-upload npm package can execute GraphQL operations contained in...

GHSA-QM7X-RC44-RRQW Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)

Impact In certain configurations, Apollo Server serves the client-side web app "GraphQL Playground" from the same web server that executes GraphQL operations. This web app has access to cookies and other credentials associated with the web server's operations. There is a cross-site scripting...

Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)

Impact In certain configurations, Apollo Server serves the client-side web app "GraphQL Playground" from the same web server that executes GraphQL operations. This web app has access to cookies and other credentials associated with the web server's operations. There is a cross-site scripting...