Apollo has identified and addressed a Cross-Site Request Forgery (CSRF) vulnerability affecting customer sites that use Embedded Sandbox or Embedded Explorer. This vulnerability could allow a malicious website to trick a user’s browser into sending unauthorized GraphQL requests (including mutations) to a customer’s GraphQL server, using the user’s authentication cookies.
There are several ways to include Embedded Sandbox and Explorer in your website; Apollo has already mitigated the vulnerability for most of these ways. The vulnerability remains only if you have installed the @apollo/sandbox or @apollo/explorer npm package in your website’s frontend code.
Impact
If Embedded Sandbox or Embedded Explorer is hosted on your GraphQL server or embedded within your documentation or applications, malicious actors could potentially execute GraphQL operations on behalf of authenticated users without their knowledge. This could result in unintended data changes or other unauthorized actions.
This Cross-Site Request Forgery vulnerability has the greatest impact if your GraphQL server uses cookies for authentication, or if your server is hosted on a private network that attackers do not have direct access to. If your GraphQL server is on the public Internet and does not use cookies for authentication, malicious actors can only cause browsers to send requests that they could already directly send themselves. Attackers cannot read the responses to these GraphQL operations.
Required Actions
Your website contains this vulnerability if:
-
You used a code snippet provided by Apollo Sandbox or Apollo Explorer to explicitly install the @apollo/sandbox or @apollo/explorer npm package into your website’s frontend.
-
All versions of @apollo/sandbox older than v2.7.2 are vulnerable.
-
All versions of @apollo/explorer older than v3.7.3 are vulnerable.
Mitigation Details
- Upgrade your npm dependencies to the fixed versions (@apollo/sandbox: v2.7.2, @apollo/explorer: v3.7.3) in all environments (development, staging, and production)
No action is required unless you have explicitly installed one of these npm packages in your frontend website code.
-
Apollo Router and Apollo Server have configuration options which allow them to serve Embedded Sandbox or Embedded Explorer. Apollo has mitigated the vulnerability in this case and no action is required.
-
Sandbox and Explorer also provide a code snippet consisting of a tag linking directly to Apollo’s CDN. Apollo has mitigated the vulnerability in this case and no action is required.
Updated Release Information
The vulnerability has been fully mitigated in:
-
@apollo/sandbox: v2.7.2 and later
-
@apollo/explorer: v3.7.3 and later
Security Advisories
You can read more about the vulnerabilities via the associated GitHub Security Advisories:
CSRF via postMessage origin validation bypass in Apollo Embedded Sandbox and Explorer
Thank you for your understanding and your prompt action on this matter. Apollo GraphOS graph/org admins have also been directly notified via email. The security of our users’ projects is our top priority. Apollo follows responsible disclosure security best practices outlined in our public security policy.