Security Advisories · apollographql/apollo-server · GitHub

Security Advisories

View information about security vulnerabilities from this repository's maintainers.

Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention
GHSA-9q82-xgwf-vj6h published Mar 24, 2026 by glasser

Moderate
Denial of service with `startStandaloneServer`
GHSA-mp6q-xf9x-fwf7 published Feb 4, 2026 by phryneas

High
CSRF via window.postMessage origin-validation bypass in Apollo Embedded Sandbox and Explorer
GHSA-47qc-hrx3-r993 published Sep 25, 2025 by glasser

High
Prevent logging invalid header values
GHSA-j5g3-5c8r-7qfx published Aug 30, 2023 by trevor-scheer

Low
Unsafe application of Content Security Policy via reused nonces
GHSA-68jh-rf6x-836f published Jun 15, 2023 by trevor-scheer

Low
Batched HTTP requests may set incorrect `cache-control` response header
GHSA-8r69-3cvp-wxc3 published Nov 2, 2022 by glasser

Moderate
URL-based XSS attack affecting IE11 on default landing page
GHSA-2fvv-qxrq-7jq6 published Aug 10, 2022 by glasser

Low
The graphql-upload library included in Apollo Server 2 is vulnerable to CSRF mutations
GHSA-2p3c-p3qw-69r4 published May 25, 2022 by glasser

Moderate
Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)
GHSA-qm7x-rc44-rrqw published Nov 4, 2021 by glasser

High
Schema validation rules are not passed to the subscription server, including rules that restrict introspection
GHSA-w42g-7vfc-xf37 published Jun 4, 2020 by abernix

Moderate

⚡