apollo-server-azure-functions prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a
NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names. More information can be found on the references.
Upgrade to version 2.14.2 or later.
publishedAdvisory PublishedJun 5th, 2020
reportedReported by Bitwala security teamJun 5th, 2020