Severity: moderate

    Information Exposure



    Versions of apollo-server-azure-functions prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names. More information can be found on the references.


    Upgrade to version 2.14.2 or later.


    Have content suggestions? Visit

    Advisory timeline

    1. published

      Advisory Published
      Jun 5th, 2020
    2. reported

      Reported by Bitwala security team
      Jun 5th, 2020