GHSA-2fvv-qxrq-7jq6: 
JavaScript vulnerability analysis and mitigation

The vulnerability (GHSA-2fvv-qxrq-7jq6) affects apollo-server-core versions 3.0.0 to 3.10.1, discovered in August 2022. The issue involves a URL-based XSS attack affecting IE11 users on the default landing page. The vulnerability was introduced when the landing page feature was added in v3.0.0 and affects Apollo Server installations with the default landing page enabled (GitHub Advisory).

The vulnerability stems from the default landing page's HTML displaying a sample curl command that becomes visible when the full landing page bundle fails to load from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser using window.location.href. On older browsers like IE11, this value is not URI-encoded, potentially allowing execution of attacker-controlled JavaScript through malicious URLs (GitHub Advisory).

The vulnerability affects servers using default landing page configurations or those explicitly using ApolloServerPluginLandingPageLocalDefault() or ApolloServerPluginLandingPageProductionDefault(). When exploited, it could allow attackers to execute arbitrary JavaScript code in the context of users visiting the Apollo Server landing page using IE11 (GitHub Advisory).

The vulnerability was patched in version 3.10.1 by removing the sample curl command. As a workaround, users can disable the landing page by implementing ApolloServerPluginLandingPageDisabled(). Alternative solutions include using ApolloServerPluginLandingPageGraphQLPlayground() or implementing a custom plugin with the renderLandingPage hook (GitHub Advisory).