Skip to content

CSRF via window.postMessage origin-validation bypass in Apollo Embedded Sandbox and Explorer

High
glasser published GHSA-47qc-hrx3-r993 Sep 25, 2025

Package

npm @apollo/explorer (npm)

Affected versions

<3.7.3

Patched versions

3.7.3
npm @apollo/sandbox (npm)
<2.7.2
2.7.2

Description

Impact

A Cross-Site Request Forgery (CSRF) vulnerability was identified in Apollo’s Embedded Sandbox and Embedded Explorer.

The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies.

This vulnerability was present when Apollo Server ran with embedded Sandbox or Explorer enabled. Embedded Sandbox is enabled by default when NODE_ENV is not set to production, and embedded Sandbox and Explorer can also be enabled in production mode via landing page plugins.

Apollo Server's support for embedded Sandbox and Explorer serves the vulnerable code from Apollo's CDN. Apollo has already mitigated the vulnerability by updating its CDN. No action is necessary to mitigate this vulnerability for users of Apollo Server.

For more information on this vulnerability, see the main advisory.

(This advisory affected all versions of Apollo Server when configured to serve embedded Sandbox or Explorer, but no upgrade is required to fix it. The GHSA "affected products" field does not allow us to represent this or to leave it blank, so this GHSA lists @apollo/sandbox and @apollo/explorer as affected products rather than @apollo/server; technically speaking, these npm packages are not dependencies of @apollo/server.)

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

CVE ID

No known CVE

Weaknesses

Origin Validation Error

The product does not properly verify that the source of data or communication is valid. Learn more on MITRE.

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Learn more on MITRE.

Credits