4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
0.002 Low
EPSS
Percentile
52.1%
directly impacted:
graphql-playground-html@<1.6.22
- all unsanitized user input for renderPlaygroundPage()
all of our consuming packages of graphql-playground-html
are impacted:
graphql-playground-middleware-express@<1.7.16
- unsanitized user input to expressPlayground()
graphql-playground-middleware-koa@<1.6.15
- unsanitized user input to koaPlayground()
graphql-playground-middleware-lambda@<1.7.17
- unsanitized user input to lambdaPlayground()
graphql-playground-middleware-hapi@<1.6.13
- unsanitized user input to hapiPlayground()
as well as any other packages that use these methods with unsanitized user input.
not impacted:
graphql-playground-electron
- uses renderPlaygroundPage()
statically for a webpack build for electron bundle, no dynamic user inputgraphql-playground-react
- usage of the component directly in a react application does not expose reflected XSS vulnerabilities. only the demo in public/
contains the vulnerability, because it uses an old version of the html pacakge.upgrading to the above mentioned versions will solve the issue.
If you’re using graphql-playground-html
directly, then:
yarn add graphql-playground-html@^1.6.22
or
npm install --save graphql-playground-html@^1.6.22
Then, similar steps need to be taken for each middleware:
Ensure you properly sanitize all user input for options you use for whatever function to initialize GraphQLPlayground:
for example, with graphql-playground-html
and express:
const { sanitizeUrl } = require('@braintree/sanitize-url');
const qs = require('querystringify');
const { renderPlaygroundPage } = require('graphql-playground-html');
module.exports = (req, res, next) => {
const { endpoint } = qs.parse(req.url)
res.html(renderPlaygroundPage({endpoint: sanitizeUrl(endpoint) })).status(200)
next()
}
or, with graphql-playground-express
:
const { expressPlayground } = require('graphql-playground-middleware-express');
const { sanitizeUrl } = require('@braintree/sanitize-url');
const qs = require('querystringify');
const { renderPlaygroundPage } = require('graphql-playground-html');
module.exports = (req, res, next) => {
const { endpoint } = qs.parse(req.url)
res.html(expressPlayground({endpoint: sanitizeUrl(endpoint) })).status(200)
next()
}
Masato Kinugawa of Cure53
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
graphql-playground-html | lt | 1.6.22 |
github.com/advisories/GHSA-4852-vrh7-28rf
github.com/graphql/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf
github.com/prisma-labs/graphql-playground#security-details
github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7
github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf
nvd.nist.gov/vuln/detail/CVE-2020-4038
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
0.002 Low
EPSS
Percentile
52.1%