Wiz
Vulnerability DatabaseCVE-2025-59845

CVE-2025-59845
JavaScript vulnerability analysis and mitigation

Overview

Apollo Studio Embeddable Explorer & Embeddable Sandbox, website embeddable software solutions from Apollo GraphQL, were found to contain a cross-site request forgery (CSRF) vulnerability. The issue was identified in Apollo Sandbox versions prior to 2.7.2 and Apollo Explorer versions prior to 3.7.3, with the vulnerability being disclosed on September 25, 2025. The affected components are primarily used for embedding Apollo's GraphQL development tools into websites (GitHub Advisory).

Technical details

The vulnerability stems from missing origin validation in the client-side code that handles window.postMessage events. This security flaw has been assigned a CVSS v3.1 base score of 8.2 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N. The vulnerability is categorized under CWE-346 (Origin Validation Error) and CWE-352 (Cross-Site Request Forgery) (GitHub Advisory).

Impact

The vulnerability allows malicious websites to send forged messages to the embedding page, causing the victim's browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim's cookies. While attackers cannot read the responses to the GraphQL operations, they can trigger mutations with side effects. The operations appear identical to legitimate operations and can contain the browser user's cookies, potentially affecting private networks otherwise inaccessible to the attacker (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3 by adding strict origin validation to DOM message handling. Apollo's CDN embeds have been automatically updated to the patched versions. For Apollo Server users, setting NODE_ENV=production in production environments prevents unintentional serving of embedded Sandbox. Users who don't directly install the npm packages @apollo/sandbox or @apollo/explorer don't need to take action as the vulnerability has been automatically mitigated through CDN updates (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-59834CRITICAL9.8
  • JavaScriptJavaScript
  • adb-mcp
NoNoSep 25, 2025
CVE-2020-36851CRITICAL9.5
  • JavaScriptJavaScript
  • cors-anywhere
NoNoSep 25, 2025
CVE-2025-59936CRITICAL9.4
  • JavaScriptJavaScript
  • get-jwks
NoYesSep 27, 2025
CVE-2025-59831HIGH8.7
  • JavaScriptJavaScript
  • git-commiters
NoYesSep 25, 2025
CVE-2025-59845HIGH8.2
  • JavaScriptJavaScript
  • @apollo/explorer
NoYesSep 26, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo