Advisories for Npm/Graphql-Playground-React package

2021

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

GraphQL Playground is a GraphQL IDE for development of graphQL focused applications. All versions of graphql-playground-react are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a malicious schema in graphql-playground.