Advisory #61
TitleCross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)
CVE IDCVE-2021-41249
VendorApollo GraphQL
Affected productApollo Server
Affected versions2.0.0 - 2.25.2, 3.0.0 - 3.4.0
Vulnerability typeCWE-79 (Cross-site Scripting)
DescriptionApollo Server has a cross-site scripting vulnerability in GraphQL Playground component, which allows a malicious schema to execute arbitrary JavaScripts.
StatusFixed in 2.25.3/3.4.1
RecommendationUpdate to 2.25.3/3.4.1 or above.