Apollo has identified an issue in certain browsers that allows an attacker to circumvent Apollo Router and Apollo Server protection against read-only cross-site request forgery (CSRF) attacks. The browser vendor has confirmed our finding and implemented a fix; however, we do not expect that browser-level fix to be broadly available before May. Apollo has proactively released security patches so you can restore and implement protection immediately and guard against similar browser-level issues going forward.
Impact
If your graphs only use custom HTTP headers for authentication, you are not affected. Your deployment is affected if:
- You are running Apollo Router or Apollo Server, and
- Your graph uses cookies for authentication
This vulnerability may allow an attacker to perform unauthorized read-only requests on behalf of an authenticated user in an affected browser. The website cannot read the responses from these queries (or perform mutations), but can analyze their timing to deduce information about the response.
We recommend upgrading to a patched version immediately or implementing a mitigation at another layer in your stack as described in the advisories below.
Mitigation Details
The patched versions below address this issue. If an immediate upgrade is not feasible, the security advisories include workaround options you can implement at other layers of your stack in the interim.
The following patched versions are now available:
- Apollo Router v2.12.1 (latest version)
- Apollo Router v2.10.2 (v2.10.x LTS release)
- Apollo Router v1.61.13 (v1 release; note that Router v1 reaches end-of-support on March 31 2026)
@apollo/serverv5.5.0
Security Advisories
You can read more about the vulnerabilities and alternative mitigations via the associated GitHub Security Advisories: Apollo Router security advisory and Apollo Server security advisory.