Apollo GraphQL, Cross-Site Request Forgery (CSRF), CVE-2024-45619 (Critical)

By /

Listen to this Post

The CVE-2024-45619 vulnerability stems from improper handling of the `window.postMessage` API within the client-side code of Apollo’s Embedded Sandbox and Explorer. The code lacked origin validation for incoming messages. A malicious actor can host a website that uses JavaScript to open a vulnerable page embedding the Apollo components in a new window or iframe. The malicious site can then send a crafted `postMessage` to the vulnerable page. Without origin checks, the embedded Sandbox/Explorer code processes this message as a legitimate command. This allows the attacker to force the victim’s browser to execute arbitrary GraphQL operations (queries or mutations) against the GraphQL server associated with the vulnerable page. The browser automatically includes the victim’s authentication cookies with these requests, making them appear as legitimate, authenticated actions originating from the user.
Platform: Apollo GraphQL
Version: Embedded Sandbox <2.7.2, Explorer <3.7.3
Vulnerability: Client-Side CSRF
Severity: Critical

date: 2024

Prediction: Patch available

What Undercode Say:

Check current versions in a project
npm list @apollo/sandbox @apollo/explorer
Upgrade to patched versions
npm update @apollo/[email protected]
npm update @apollo/[email protected]
Example malicious postMessage payload
window.opener.postMessage({
type: 'explorer-event',
operation: '{"query":"mutation { deleteUser(id: 1) }"}'
}, '');

How Exploit:

Attacker lures victim to a malicious site. The site’s script opens the target application embedding a vulnerable Apollo component. The script sends a forged `postMessage` containing a malicious GraphQL mutation. The victim’s browser, authenticated with the target app, executes the mutation.

Protection from this CVE:

Upgrade npm packages. Set NODE_ENV=production. Avoid embedding Sandbox/Explorer in production. Implement strict `postMessage` origin validation.

Impact:

Arbitrary GraphQL execution. Data modification via mutations. Abuse of user’s session credentials. Potential for complete application compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top