Apollo GraphQL Embedded Sandbox and Explorer Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in Apollo GraphQL's Embeddable Explorer and Embeddable Sandbox, prior to version 2.7.2 for Sandbox and 3.7.3 for Explorer. The issue stems from inadequate origin validation in the client-side code that processes window.postMessage events. This flaw allows a malicious website to send fake messages to the embedded application, prompting the victim's browser to execute unauthorized GraphQL queries or mutations on their behalf, using the victim's cookies for authentication. This vulnerability could be exploited against private GraphQL servers not accessible to the attacker, potentially leading to unauthorized changes in data access controls.

Impact

Exploitation allows a malicious website to manipulate GraphQL operations as if they were initiated by the user, potentially executing harmful mutations that alter application data or access rights, all while using the victim's authentication cookies.

Remediation

Users embedding Apollo Sandbox or Explorer via the npm packages '@apollo/sandbox' or '@apollo/explorer' should update to version 2.7.2 or 3.7.3 respectively. For those using Apollo Server or Apollo Router with embedded Sandbox or Explorer, no action is needed as the vulnerability has been patched on Apollo's CDN. If the '<script>' tag was manually edited to include a specific version, revert to a supported URL as documented for Apollo Sandbox or Explorer.