Severity: moderate

Information Exposure



Versions of apollo-server-cloudflare prior to 2.4.12 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names. More information can be found on the references.


Upgrade to version 2.14.2 or later.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jun 5th, 2020
  2. reported

    Reported by Bitwala security team
    Jun 5th, 2020