-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency apollo-server to v2.25.4 [SECURITY] - autoclosed #916
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
2 times, most recently
from
September 26, 2022 01:20
198eb1a
to
f21365a
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
3 times, most recently
from
October 6, 2022 02:09
bb471bb
to
12fcd62
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
2 times, most recently
from
October 23, 2022 20:16
c91b6d5
to
149aa95
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
November 20, 2022 08:12
149aa95
to
f6587a3
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
March 16, 2023 06:36
f6587a3
to
2208c63
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
March 24, 2023 23:08
2208c63
to
c0dea45
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
May 10, 2023 15:34
c0dea45
to
0aed6d2
Compare
renovate
bot
changed the title
Update dependency apollo-server to v2.25.3 [SECURITY]
Update dependency apollo-server to v2.25.4 [SECURITY]
May 10, 2023
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
2 times, most recently
from
May 16, 2023 21:55
b189881
to
b116f0e
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
2 times, most recently
from
June 4, 2023 14:51
0275d05
to
e87252d
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
2 times, most recently
from
June 20, 2023 20:23
3830f36
to
3aac1e1
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
June 21, 2023 17:55
3aac1e1
to
8d4fc0b
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
July 6, 2023 10:56
8d4fc0b
to
70c8476
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
July 27, 2023 19:31
70c8476
to
9102ee7
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
2 times, most recently
from
August 27, 2023 10:41
998eb98
to
04fbf20
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
September 19, 2023 14:17
04fbf20
to
c2ce15a
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
2 times, most recently
from
September 28, 2023 13:57
53fd325
to
34b897f
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
October 9, 2023 10:48
34b897f
to
71bb822
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
October 13, 2023 16:00
71bb822
to
dd7d40d
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
October 23, 2023 12:51
dd7d40d
to
045b594
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
November 6, 2023 07:32
045b594
to
9cac5c6
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
November 16, 2023 11:00
9cac5c6
to
a5872ab
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
December 3, 2023 13:25
a5872ab
to
d671fc9
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
December 12, 2023 06:59
d671fc9
to
4423847
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
January 28, 2024 11:01
4423847
to
a8c370e
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
February 4, 2024 12:10
a8c370e
to
a594dc3
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
February 25, 2024 11:38
a594dc3
to
3726a74
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
March 12, 2024 10:03
3726a74
to
5ddb5e0
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
March 20, 2024 12:50
5ddb5e0
to
3ca5774
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
April 14, 2024 11:45
3ca5774
to
48140a2
Compare
renovate
bot
force-pushed
the
renovate/npm-apollo-server-vulnerability
branch
from
April 21, 2024 07:52
48140a2
to
ba12bab
Compare
renovate
bot
changed the title
Update dependency apollo-server to v2.25.4 [SECURITY]
Update dependency apollo-server to v2.25.4 [SECURITY] - autoclosed
Apr 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.18.2
->2.25.4
GitHub Vulnerability Alerts
GHSA-2p3c-p3qw-69r4
Impact
The graphql-upload npm package can execute GraphQL operations contained in
content-type: multipart/form-data
POST requests. Because they are POST requests, they can contain GraphQL mutations. Because they usecontent-type: multipart/form-data
, they can be "simple requests" which are not preflighted by browsers.If your GraphQL server uses
graphql-upload
and usesSameSite=None
cookies for authentication, then JS on any origin can cause browsers to send cookie-authenticated mutations to your GraphQL server, which will be executed without checking your CORS policy first. (The attack won't be able to see the response to the mutation if your CORS policy is set up properly, but the side effects of the mutation will still happen.)Additionally, if your GraphQL server uses
graphql-upload
and relies on network properties for security (whether by explicitly looking at the client's IP address or by only being available on a private network), then JS on any origin can cause browsers (which may be on a private network or have an allowed IP address) to send mutations to your GraphQL server, which will be executed without checking your CORS policy first. (This attack does not require your server to use cookies. It is in some cases prevented by some browsers such as Chrome.)Apollo Server 2 bundled
graphql-upload
and enabled it by default, so by default, Apollo Server 2 servers are vulnerable to these CSRF attacks. (Apollo Server 1 did not bundlegraphql-upload
. Apollo Server 3 no longer bundlesgraphql-upload
, although AS3's docs do document how to manually integrate withgraphql-upload
.) It is enabled even if your server makes no use of the upload functionality.If you are running Apollo Server 2 (older than v2.25.4) and do not specify
uploads: false
tonew ApolloServer
, then you are vulnerable to this CSRF mutation attack.We recently introduced an opt-in CSRF prevention feature in Apollo Server 3.7. This feature successfully protects against CSRF even if you have manually integrated your AS3.7 server with
graphql-upload
. However, this feature is not available for Apollo Server 2.Patches
If you are using Apollo Server 2 and do not actually use uploads in your schema (ie, the
Upload
scalar is not used as the argument to any field or in any input object definition, and you do not specifyuploads
tonew ApolloServer
), then upgrading to Apollo Server 2.25.4 will automatically disablegraphql-upload
in your server. This will fix the CSRF mutation vulnerability.Upgrading to v2.25.4 does still leave your server vulnerable to non-mutation CSRF attacks such as timing attacks against query operations. To protect yourself against these potentially lower impact CSRF attack, we encourage upgrading to Apollo Server v3.7 and enabling CSRF prevention. See the Apollo Server 3 migration guide and the CSRF prevention docs for details.
If you are actively using the uploads feature with Apollo Server 2, then upgrading to v2.25.4 will not disable the feature and you will still be vulnerable. You should instead upgrade to v3.7 and enable the CSRF prevention feature.
If you are manually integrating the
graphql-upload
package with any version of Apollo Server (or any Node GraphQL server) and need to continue using the feature, then you must enable some sort of CSRF prevention feature to fix this vulnerability. We recommend the CSRF prevention feature in Apollo Server 3.7.Workarounds
Instead of upgrading your Apollo Server 2 server, you can specify
uploads: false
tonew ApolloServer
to disable thegraphql-upload
integration and protect against CSRF mutations. (Only do this if you do not actually use the uploads feature in your server!) This will still leave your server vulnerable to non-mutation CSRF attacks such as timing attacks against query operations; you need to upgrade to v3.7 and enable CSRF prevention to protect against these attacks.Related work
Release Notes
apollographql/apollo-server (apollo-server)
v2.25.4
Compare Source
v2.25.3
Compare Source
v2.25.2
Compare Source
v2.25.1
Compare Source
v2.25.0
Compare Source
v2.24.1
Compare Source
v2.24.0
Compare Source
v2.23.0
Compare Source
v2.22.2
Compare Source
v2.22.1
Compare Source
v2.22.0
Compare Source
v2.21.2
Compare Source
v2.21.1
Compare Source
v2.21.0
Compare Source
v2.20.0
Compare Source
v2.19.2
Compare Source
v2.19.1
Compare Source
v2.19.0
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.