GHSA-w42g-7vfc-xf37: 
JavaScript vulnerability analysis and mitigation

The vulnerability (GHSA-w42g-7vfc-xf37) affects Apollo Server's schema validation rules implementation, specifically in versions prior to 2.14.2. The issue was discovered by the Bitwala team and disclosed on June 4, 2020. The vulnerability impacts multiple Apollo Server packages including apollo-server-core and its integration packages (apollo-server-express, apollo-server-lambda, apollo-server-koa, etc.) when using WebSocket subscriptions (GitHub Advisory).

The vulnerability stems from validation rules not being properly passed to the SubscriptionServer.create invocation in the WebSocket subscriptions transport. This affects both user-provided validation rules and the internal NoIntrospection validation rule. The issue only manifests when subscriptions are enabled (which is the default behavior) and introspection is disabled. When these conditions are met, it becomes possible to perform introspection queries through the WebSocket endpoint even when introspection is explicitly disabled for other transports like HTTP (GitHub Advisory).

The severity of the vulnerability is rated as Moderate. The impact varies depending on whether sensitive information is stored in the schema itself. Schema descriptions, type names, or field names that might contain sensitive information could be exposed through introspection queries via the WebSocket endpoint, even when introspection is disabled. Additionally, any custom validation rules set by implementors would not be enforced on the subscriptions endpoint (GitHub Advisory).

The primary mitigation is to upgrade to Apollo Server version 2.14.2 or higher. For those unable to upgrade immediately, a workaround is available by disabling subscriptions entirely using the subscriptions: false option in the ApolloServer constructor. When upgrading, it's important to ensure that both the affected integration package and the apollo-server-core package are updated to version 2.14.2 (GitHub Advisory).