apollo-server-cloudflare prior to 2.4.12 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a
NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names. More information can be found on the references.
Upgrade to version 2.14.2 or later.
publishedAdvisory PublishedJun 5th, 2020
reportedReported by Bitwala security teamJun 5th, 2020