GHSA-qm7x-rc44-rrqw: 
JavaScript vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in GraphQL Playground, as distributed by Apollo Server, identified as GHSA-qm7x-rc44-rrqw and CVE-2021-41249. The vulnerability affects Apollo Server versions 2.0.0 to 2.25.2 and 3.0.0 to 3.4.0, with the issue being patched in versions 2.25.3 and 3.4.1. The vulnerability was discovered by Ry0taK and was published on November 4, 2021 (GitHub Advisory).

The vulnerability exists in configurations where Apollo Server serves the client-side web app 'GraphQL Playground' from the same web server that executes GraphQL operations. The web app has access to cookies and other credentials associated with the web server's operations. The vulnerability allows for arbitrary JavaScript code execution in the web server's origin through specially crafted links to the GraphQL Playground page. In Apollo Server 2, GraphQL Playground is served by default unless NODE_ENV is set to production, while in Apollo Server 3, it's only vulnerable when explicitly using the ApolloServerPluginLandingPageGraphQLPlayground plugin (GitHub Advisory).

When exploited, this vulnerability allows attackers to steal cookies and other private browser data when users click on specially crafted links to the GraphQL Playground page. The impact is particularly severe if the GraphQL server's origin URL is used to store sensitive data such as cookies (GitHub Advisory).

Several mitigation approaches are available: 1) Upgrade to Apollo Server 2.25.3 or 3.4.1, 2) Configure the current version to serve the latest version of GraphQL Playground (1.7.42) by adding the version option, or 3) Disable GraphQL Playground entirely. For Apollo Server 3, remove the ApolloServerPluginLandingPageGraphQLPlayground from the plugins array. For Apollo Server 2, set playground: false in the ApolloServer constructor (GitHub Advisory).