Update dependency @apollo/explorer to v3.7.3 - abandoned#49
Open
mend-on-mend[bot] wants to merge 1 commit into
Open
Update dependency @apollo/explorer to v3.7.3 - abandoned#49mend-on-mend[bot] wants to merge 1 commit into
mend-on-mend[bot] wants to merge 1 commit into
Conversation
Signed-off-by: mend-on-mend[bot] <mend-on-mend[bot]@users.noreply.github.com>
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
mend-on-mend
Bot
changed the title
Author
Autoclosing SkippedThis PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.6.0→3.7.3Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
CVE-2025-59845 / GHSA-w87v-7w53-wwxv
More information
Details
Impact
A Cross-Site Request Forgery (CSRF) vulnerability was identified in Apollo’s Embedded Sandbox and Embedded Explorer.
The vulnerability arises from missing origin validation in the client-side code that handles
window.postMessageevents. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies.Who is impacted
Anyone embedding Apollo Sandbox or Apollo Explorer in their website may have been affected by this vulnerability.
@apollo/sandboxand@apollo/explorer) or direct links to Apollo’s CDN.NODE_ENVis not set toproduction, and embedded Sandbox and Explorer can also be enabled in production mode via landing page plugins. This served the vulnerable code from Apollo’s CDN.While all of the above methods of serving Embedded Sandbox and Explorer were vulnerable, Apollo has already updated its CDN to remove all vulnerable versions. Unless you install the npm package
@apollo/sandboxor@apollo/explorerdirectly into your website’s front end code, no action is necessary: the vulnerability has already been mitigated.Users who do not embed Sandbox/Explorer on their websites, or who only run Apollo Router/Server with production defaults were never impacted. The use of non-embedded Sandbox and Explorer hosted on studio.apollographql.com is not vulnerable.
Scope of impact
The vulnerability allows a malicious website to open the vulnerable website in a new window and force it to send GraphQL requests to its origin. The requests themselves are not "cross-origin" as they are directly issued from the vulnerable website, but their contents are dictated by the malicious website.
The malicious website cannot read the responses to the GraphQL operations, but the operations may be mutations with side effects (such as using credentials to update app-specific data access controls). These operations can contain the browser user's cookies, and the vulnerable website may be on a private network otherwise inaccessible to the attacker. Operations sent this way look and exactly like legitimate operations sent by a human interacting with the embedded Sandbox or Explorer.
Patches
The issue has been fixed by adding strict origin validation to DOM message handling.
@apollo/sandbox: Patched in v2.7.2 and later@apollo/explorer: Patched in v3.7.3 and later<script>tags pointing to Apollo’s CDN, as well as the Apollo Router and Apollo Server features. No action is necessary to adopt the fix in this case.If you manually edited the
<script>tag provided by the Explorer or Sandbox UI to replace the version string_latest,v2, orv3with a specific git-style SHA, you may find that the Explorer or Sandbox UI does not currently load. To fix this, use a supported URL instead, as documented for Sandbox or Explorer. (The third-party Go GraphQL server gqlgen provides a function ApolloSandboxHandler which serves an unsupported URL and was broken by our mitigations; upgrading to gqlgen v0.17.81 will resolve this issue.)Workarounds
NODE_ENV=productionis set in production to avoid unintentionally serving embedded Sandbox.References
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
apollographql/embeddable-explorer (@apollo/explorer)
v3.7.3Compare Source
v3.7.2Compare Source
v3.7.1Compare Source
v3.7.0Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.