GHSA-w87v-7w53-wwxv: Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass

September 26, 2025

A Cross-Site Request Forgery (CSRF) vulnerability was identified in Apollo’s Embedded Sandbox and Embedded Explorer.

The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies.

References

github.com/advisories/GHSA-w87v-7w53-wwxv
github.com/apollographql/embeddable-explorer
github.com/apollographql/embeddable-explorer/security/advisories/GHSA-w87v-7w53-wwxv

Code Behaviors & Features

Detect and mitigate GHSA-w87v-7w53-wwxv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →