Skip to content

@apollo/server vulnerable to unsafe application of Content Security Policy via reused nonces

Low severity GitHub Reviewed Published Jun 15, 2023 in apollographql/apollo-server • Updated Jun 20, 2023

Package

npm @apollo/server (npm)

Affected versions

>= 4.7.1, < 4.7.4

Patched versions

4.7.4

Description

Context

Content Security Policies (CSP) are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn't itself a vulnerability, but it does fail to prevent XSS in the event that there is a viable attack vector for an XSS attack.

Impact

There aren't any XSS attack vectors via the Apollo Server landing pages known to Apollo, so to our knowledge there is no impact. However, if there are existing XSS vectors that haven't been reported and patched, then all users of Apollo Server's landing pages have a vulnerability which won't be prevented by the current CSP implemented by the landing pages.

Prior to version 4.7.1, there was no CSP implemented at all. However, the initial CSP implementation (4.7.1+) reused nonces. While this sufficiently resolved the issue w.r.t. scripts not running in Safari, it did not implement CSP in a safe or conventional way.

Patches

The issue is patched in the latest version of Apollo Server, v4.7.4. The changes can be reviewed in the merge commit.

Workarounds

The landing page can be disabled completely until the patch can be upgraded to.
https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/#disabling-the-landing-page

References

https://content-security-policy.com/nonce/

References

Published to the GitHub Advisory Database Jun 16, 2023
Reviewed Jun 16, 2023
Last updated Jun 20, 2023

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-68jh-rf6x-836f
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.