Search for packages
| purl | pkg:npm/apollo-server@3.3.0 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-a82x-uben-ufdz
Aliases: GHSA-qm7x-rc44-rrqw GMS-2021-33 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in apollo-server. |
Affected by 1 other vulnerability. |
|
VCID-peh1-p69m-nyh7
Aliases: CVE-2026-23897 GHSA-mp6q-xf9x-fwf7 |
Apollo Serve vulnerable to Denial of Service with `startStandaloneServer` The default configuration of `startStandaloneServer` from `@apollo/server/standalone` is vulnerable to Denial of Service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use `@apollo/server` as a dependency for integration packages, like `@as integrations/express5` or `@as-integrations/next`, only direct usage of `startStandaloneServer`. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T06:49:16.605318+00:00 | GitLab Importer | Affected by | VCID-peh1-p69m-nyh7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/apollo-server/CVE-2026-23897.yml | 38.6.0 |
| 2026-06-06T01:05:19.859361+00:00 | GitLab Importer | Affected by | VCID-a82x-uben-ufdz | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/apollo-server/GMS-2021-33.yml | 38.6.0 |