{"url":"http://public2.vulnerablecode.io/api/packages/507621?format=json","purl":"pkg:npm/apollo-server@2.5.1-alpha.1","type":"npm","namespace":"","name":"apollo-server","version":"2.5.1-alpha.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19245?format=json","vulnerability_id":"VCID-59b1-8h9y-nbbc","summary":"Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`\n### Impact\n\nThe default configuration of `startStandaloneServer` from `@apollo/server/standalone` is vulnerable to Denial of Service (DoS) attacks through specially crafted request bodies with exotic character set encodings.\n\nThis issue does not affect users that use `@apollo/server` as a dependency for integration packages, like `@as integrations/express5` or `@as-integrations/next`, only direct usage of `startStandaloneServer`.\n\n### Who is impacted\n\nUsers directly using `startStandaloneServer` from `@apollo/server/standalone`.\n\nThis issue affects Apollo Server from v5.0.0 through v5.3.x.\n\nIt also affects all releases of the end-of-life major versions v4, v3, and v2.  Although Apollo Server v4 is EOL and Apollo no longer commits to providing support or updates for it, a fix for it was released in v4.13.0.  Apollo Server v3 and v2 are no longer updated, as they have been EOL since 2024 and 2023 respectively.\n\n### Patches\n\nPatches for this issue are released as `@apollo/server` versions `5.4.0` and `4.13.0`.\n\nIn accordance with [RFC 7159](https://datatracker.ietf.org/doc/html/rfc7159#section-8.1), these versions now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a `415 Unsupported Media Type` error. Note that the more recent JSON RFC, [RFC 8259 (https://datatracker.ietf.org/doc/html/rfc8259#section-8.1), is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, the restriction may be tightened further to only allow UTF-8.\n\n### Workarounds\n\nUsers of `apollo-server` v2 or v3 that cannot upgrade for some reason could switch from the standalone `apollo-server`\npackage to an integration package like `apollo-server-express` or `apollo-server-koa` and set up their own server. Please note that these old packages are generally EOL and do not receive any more support or bug fixes. This can only be seen as a short-term workaround. Updating to `@apollo/server` v5 should be a priority.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23897","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06879","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23897"},{"reference_url":"https://github.com/apollographql/apollo-server","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/apollo-server"},{"reference_url":"https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T19:55:05Z/"}],"url":"https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643"},{"reference_url":"https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T19:55:05Z/"}],"url":"https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4"},{"reference_url":"https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-04T19:55:05Z/"}],"url":"https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23897","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23897"},{"reference_url":"https://github.com/advisories/GHSA-mp6q-xf9x-fwf7","reference_id":"GHSA-mp6q-xf9x-fwf7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mp6q-xf9x-fwf7"}],"fixed_packages":[],"aliases":["CVE-2026-23897","GHSA-mp6q-xf9x-fwf7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-59b1-8h9y-nbbc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44490?format=json","vulnerability_id":"VCID-7kaq-9qkt-fya8","summary":"Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)\n### Impact\nIn certain configurations, Apollo Server serves the client-side web app \"GraphQL Playground\" from the same web server that executes GraphQL operations. This web app has access to cookies and other credentials associated with the web server's operations. There is a cross-site scripting vulnerability in GraphQL Playground that allows for arbitrary JavaScript code execution in your web server's origin. If a user clicks a specially crafted link to your GraphQL Playground page served by Apollo Server, an attacker can steal cookies and other private browser data.\n\nDetails of the underlying GraphQL Playground vulnerability are available in [this `graphql-playground` advisory](https://github.com/graphql/graphql-playground/security/advisories/GHSA-59r9-6jp6-jcm7). (A [similar vulnerability](https://github.com/graphql/graphiql/security/advisories/GHSA-x4r7-m2q9-69c8) exists in the related `graphiql` project.) This advisory focuses on identifying whether *Apollo Server* installations are vulnerable and mitigating the vulnerability in Apollo Server; see the other advisories for details on the XSS vulnerability itself.\n\nThe impact of this vulnerability is more severe if (as is common) your GraphQL server's origin URL is an origin that is used to store sensitive data such as cookies.\n\nIn order for this vulnerability to affect your Apollo Server installation, it must actually serve GraphQL Playground. The integration between Apollo Server and GraphQL Playground is different in Apollo Server 2 and Apollo Server 3. You can tell which version of Apollo Server you are running by looking at the version of the [package from which you import the `ApolloServer` class](https://www.apollographql.com/docs/apollo-server/integrations/middleware/): this may be `apollo-server`, `apollo-server-express`, `apollo-server-lambda`, etc.\n\n#### Apollo Server 3\n\nApollo Server 3 does not serve GraphQL Playground by default. It has a [landing page plugin system](https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/) and the default plugin is a simple splash page that is not vulnerable to this exploit, linking to Apollo Sandbox Explorer. (We chose to change the default because GraphQL Playground is not actively maintained.)\n\nIf you are running Apollo Server 3, then you are *only* vulnerable if you *explicitly* import the [`ApolloServerPluginLandingPageGraphQLPlayground`](https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/#graphql-playground-landing-page) plugin and pass it to your `ApolloServer`'s constructor in the `plugins` array. Otherwise, this advisory does not apply to your server.\n\n#### Apollo Server 2\n\nApollo Server 2 serves GraphQL Playground by default, unless the `NODE_ENV` environment variable is set to `production`, or if you explicitly configure it via the `playground` option to the `ApolloServer` constructor.\n\nYour Apollo Server 2 installation is vulnerable if *any* of the following is true:\n- You pass `playground: true` to the `ApolloServer` constructor\n- You pass some other object like `playground: {title: \"Title\"}` to the `ApolloServer` constructor\n- You do *not* pass any `playground` option to the `ApolloServer` constructor, *and* the `NODE_ENV` environment variable is *not* set to `production`\n\n#### Apollo Server 1\n\nApollo Server 1 included `graphiql` instead of `graphql-playground`. `graphiql` isn't automatically enabled in Apollo Server 1: you have to explicitly call a function such as `graphiqlExpress` to enable it. Because Apollo Server 1 is not commonly used, we have not done a detailed examination of whether the integration between Apollo Server 1 and `graphiql` is vulnerable to a similar exploit. If you are still using Apollo Server 1, we recommend you disable `graphiql` by removing the `graphiqlExpress` call, and then upgrade to a newer version of Apollo Server.\n\n### Patches and workarounds\n\nThere are several approaches you can take to ensure that your server is not vulnerable to this issue.\n\n#### Upgrade Apollo Server\n\nThe vulnerability has been patched in Apollo Server 2.25.3 and Apollo Server 3.4.1. To get the patch, upgrade your [Apollo Server entry point package](https://www.apollographql.com/docs/apollo-server/integrations/middleware/) to one of the fixed versions; this package may be `apollo-server`, `apollo-server-express`, `apollo-server-lambda`, etc. Additionally, if you depend directly on `apollo-server-core` in your `package.json`, make sure that you upgrade it to the same version.\n\n#### Upgrade Playground version only\n\nIf upgrading to the latest version of Apollo Server 2 or 3 quickly will be challenging, you can configure your current version of Apollo Server to serve the latest version of the GraphQL Playground app. This will pin your app to serve a specific version of GraphQL Playground and you will not receive updates to it when you upgrade Apollo Server later, but this may be acceptable because GraphQL Playground is not actively maintained.\n\nThe way to do this depends on what version of Apollo Server you're using and if you're already configuring GraphQL Playground.\n\n- **Apollo Server 3**: If you are using Apollo Server 3, then you are only vulnerable if your serve explicitly calls [`ApolloServerPluginLandingPageGraphQLPlayground`](https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/#graphql-playground-landing-page) and passes it to the Apollo Server constructor in the `plugins` array. Add the option `version: '1.7.42'` to this call, so it looks like:\n```\nplugins: [ApolloServerPluginLandingPageGraphQLPlayground({version: '1.7.42'})]\n```\n- **Apollo Server 2 with no explicit `playground` option**: If you are using Apollo Server 2 and do not currently pass the `playground` option to `new ApolloServer`, add a `playground` option like so: \n```\nnew ApolloServer({ playground: process.env.NODE_ENV === 'production' ? false : { version: '1.7.42' } })\n```\n- **Apollo Server 2 with `playground: true` or `playground: {x, y, z}`**: If you are using Apollo Server 2 and currently pass `true` or an object to `new ApolloServer`, pass the `version` option under the `playground` option like so:\n```\nnew ApolloServer({ playground: { version: '1.7.42', x, y, z } })\n```\n\n#### Disable GraphQL Playground\n\nIf upgrading Apollo Server or GraphQL Playground is challenging, you can also disable GraphQL Playground.\n\nIn Apollo Server 3, remove the call to `ApolloServerPluginLandingPageGraphQLPlayground` from your `ApolloServer` constructor's `plugins` array. This will replace GraphQL Playground with a simple splash page. See [the landing page plugins docs](https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/) for details.\n\nIn Apollo Server 2, add `playground: false` to your `ApolloServer` constructor: `new ApolloServer({ playground: false })`. This will replace GraphQL Playground with an attempt to execute a GraphQL operation, which will likely display an error in the browser.\n\nIf you disable GraphQL Playground, any users who rely on it to execute GraphQL operations will need an alternative, such as the [Apollo Studio Explorer's account-free Sandbox](https://www.apollographql.com/docs/studio/explorer/#account-free-sandbox).\n\n### Credit\n\nThis vulnerability was discovered by @Ry0taK. Thank you!\n\nThe fix to GraphQL Playground was developed by @acao and @glasser with help from @imolorhe, @divyenduz, and @benjie.\n\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Read the [`graphql-playground` advisory](https://github.com/graphql/graphql-playground/security/advisories/GHSA-59r9-6jp6-jcm7)\n* Open an issue in [the `apollo-server` repo](https://github.com/apollographql/apollo-server/)\n* If the issue involves confidential information, email us at [security@apollographql.com](mailto:security@apollographql.com)","references":[{"reference_url":"https://github.com/apollographql/apollo-server","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/apollo-server"},{"reference_url":"https://github.com/apollographql/apollo-server/security/advisories/GHSA-qm7x-rc44-rrqw","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/apollo-server/security/advisories/GHSA-qm7x-rc44-rrqw"},{"reference_url":"https://github.com/advisories/GHSA-qm7x-rc44-rrqw","reference_id":"GHSA-qm7x-rc44-rrqw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qm7x-rc44-rrqw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78307?format=json","purl":"pkg:npm/apollo-server@2.25.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-59b1-8h9y-nbbc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/apollo-server@2.25.3"},{"url":"http://public2.vulnerablecode.io/api/packages/78308?format=json","purl":"pkg:npm/apollo-server@3.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-59b1-8h9y-nbbc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/apollo-server@3.4.1"}],"aliases":["GHSA-qm7x-rc44-rrqw","GMS-2021-33"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7kaq-9qkt-fya8"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/apollo-server@2.5.1-alpha.1"}