Advisories for Npm/Apollo-Server-Core package

2023

Prevent logging invalid header values

Impact What kind of vulnerability is it? Apollo Server can log sensitive information (Studio API keys) if they are passed incorrectly (with leading/trailing whitespace) or if they have any characters that are invalid as part of a header value. Who is impacted? Users who (all of the below): use either the schema reporting or usage reporting feature use an Apollo Studio API key which has invalid header values use the …

2022

Batched HTTP requests may set incorrect `cache-control` response header

Impact In Apollo Server 3 and 4, the cache-control HTTP response header may not reflect the cache policy that should apply to an HTTP request when that HTTP request contains multiple operations using HTTP batching. This could lead to data being inappropriately cached and shared. Apollo Server allows clients to send multiple operations in a single HTTP request. The results of these operations are returned in a single HTTP response, …

2020

Introspection in schema validation in Apollo Server

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules …