Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02OGpoLXJmNngtODM2Zs4AAz6F
@apollo/server vulnerable to unsafe application of Content Security Policy via reused nonces
Context
Content Security Policies (CSP) are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn't itself a vulnerability, but it does fail to prevent XSS in the event that there is a viable attack vector for an XSS attack.
Impact
There aren't any XSS attack vectors via the Apollo Server landing pages known to Apollo, so to our knowledge there is no impact. However, if there are existing XSS vectors that haven't been reported and patched, then all users of Apollo Server's landing pages have a vulnerability which won't be prevented by the current CSP implemented by the landing pages.
Prior to version 4.7.1, there was no CSP implemented at all. However, the initial CSP implementation (4.7.1+) reused nonces. While this sufficiently resolved the issue w.r.t. scripts not running in Safari, it did not implement CSP in a safe or conventional way.
Patches
The issue is patched in the latest version of Apollo Server, v4.7.4. The changes can be reviewed in the merge commit.
Workarounds
The landing page can be disabled completely until the patch can be upgraded to.
https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/#disabling-the-landing-page
References
https://content-security-policy.com/nonce/
Permalink: https://github.com/advisories/GHSA-68jh-rf6x-836fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02OGpoLXJmNngtODM2Zs4AAz6F
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 11 months ago
Updated: 11 months ago
Identifiers: GHSA-68jh-rf6x-836f
References:
- https://github.com/apollographql/apollo-server/security/advisories/GHSA-68jh-rf6x-836f
- https://github.com/apollographql/apollo-server/commit/0adaf80d1ee51d8c7e5fd863c04478536d15eb8c
- https://github.com/advisories/GHSA-68jh-rf6x-836f
Blast Radius: 0.0
Affected Packages
npm:@apollo/server
Dependent packages: 329Dependent repositories: 5,993
Downloads: 4,116,233 last month
Affected Version Ranges: >= 4.7.1, < 4.7.4
Fixed in: 4.7.4
All affected versions: 4.7.1, 4.7.2, 4.7.3
All unaffected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.5.0, 4.6.0, 4.7.0, 4.7.4, 4.7.5, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.10.4