Severity: moderate

Information Exposure

apollo-server

Overview

Versions of apollo-server prior to 2.4.12 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names. More information can be found on the references.

Remediation

Upgrade to version 2.14.2 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jun 5th, 2020
  2. reported

    Reported by Bitwala security team
    Jun 5th, 2020