Search for packages
| purl | pkg:npm/apollo-server@3.4.1 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-peh1-p69m-nyh7
Aliases: CVE-2026-23897 GHSA-mp6q-xf9x-fwf7 |
Apollo Serve vulnerable to Denial of Service with `startStandaloneServer` The default configuration of `startStandaloneServer` from `@apollo/server/standalone` is vulnerable to Denial of Service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use `@apollo/server` as a dependency for integration packages, like `@as integrations/express5` or `@as-integrations/next`, only direct usage of `startStandaloneServer`. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-a82x-uben-ufdz | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in apollo-server. |
GHSA-qm7x-rc44-rrqw
GMS-2021-33 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-07T20:47:43.472994+00:00 | GHSA Importer | Fixing | VCID-a82x-uben-ufdz | https://github.com/advisories/GHSA-qm7x-rc44-rrqw | 38.6.0 |
| 2026-06-06T06:49:16.617813+00:00 | GitLab Importer | Affected by | VCID-peh1-p69m-nyh7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/apollo-server/CVE-2026-23897.yml | 38.6.0 |
| 2026-06-04T17:33:13.376873+00:00 | GithubOSV Importer | Fixing | VCID-a82x-uben-ufdz | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-qm7x-rc44-rrqw/GHSA-qm7x-rc44-rrqw.json | 38.6.0 |
| 2026-06-02T04:40:22.188038+00:00 | GitLab Importer | Fixing | VCID-a82x-uben-ufdz | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/apollo-server/GMS-2021-33.yml | 38.6.0 |