CVE-2021-41249 : GraphQL Playground is a GraphQL IDE for development of graphQL focused applicati

GraphQL Playground is a GraphQL IDE for development of graphQL focused applications. All versions of graphql-playground-react older than graphql-playground-react@1.7.28 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a malicious schema in graphql-playground. There are several ways this can occur, including by specifying the URL to a malicious schema in the endpoint query parameter. If a user clicks on a link to a GraphQL Playground installation that specifies a malicious server, arbitrary JavaScript can run in the user's browser, which can be used to exfiltrate user credentials or other harmful goals. If you are using graphql-playground-react directly in your client app, upgrade to version 1.7.28 or later.

Published 2021-11-04 20:15:09

Updated 2021-11-09 15:47:45

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2021-41249

Graphql » Playground » For Node.js
Versions before (<) 1.7.28
cpe:2.3:a:graphql:playground:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-41249

EPSS FAQ

0.36%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 57 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-41249

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.6	LOW	AV:N/AC:H/Au:N/C:N/I:P/A:N	4.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
4.7	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N	1.6	2.7	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
7.1	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L	1.6	5.5	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: Low

CWE ids for CVE-2021-41249

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2021-41249

https://github.com/graphql/graphql-playground/security/advisories/GHSA-59r9-6jp6-jcm7

XSS vulnerability in GraphQL Playground from untrusted schemas · Advisory · graphql/graphql-playground · GitHub
Third Party Advisory

CVEs referencing this url
https://github.com/graphql/graphql-playground/commit/b8a956006835992f12c46b90384a79ab82bcadad

Merge pull request from GHSA-59r9-6jp6-jcm7 · graphql/graphql-playground@b8a9560 · GitHub
Patch;Third Party Advisory
https://github.com/graphql/graphiql/security/advisories/GHSA-x4r7-m2q9-69c8

GraphiQL introspection schema template injection attack · Advisory · graphql/graphiql · GitHub
Not Applicable;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-41249

Products affected by CVE-2021-41249

Exploit prediction scoring system (EPSS) score for CVE-2021-41249

CVSS scores for CVE-2021-41249

CWE ids for CVE-2021-41249

References for CVE-2021-41249