CVE-2021-41248: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

November 4, 2021 (updated November 9, 2021)

GraphiQL is the reference implementation of this monorepo, GraphQL IDE, an official project under the GraphQL Foundation. All versions of graphiql older are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete.

References

github.com/graphql/graphiql/commit/cb237eeeaf7333c4954c752122261db7520f7bf4
github.com/graphql/graphiql/security/advisories/GHSA-x4r7-m2q9-69c8
github.com/graphql/graphql-playground/security/advisories/GHSA-59r9-6jp6-jcm7
nvd.nist.gov/vuln/detail/CVE-2021-41248

Code Behaviors & Features

Detect and mitigate CVE-2021-41248 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →