Severity: moderate

    Information Exposure

    apollo-server

    Overview

    Versions of apollo-server prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names. More information can be found on the references.

    Remediation

    Upgrade to version 2.14.2 or later.

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Jun 5th, 2020
    2. reported

      Reported by Bitwala security team
      Jun 5th, 2020