Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

apollographql — Vulnerabilities & Security Advisories 20

Browse all 20 CVE security advisories affecting apollographql. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Apollo GraphQL serves as a comprehensive framework for building and operating GraphQL services, enabling developers to create flexible APIs that aggregate data from multiple sources. Its widespread adoption in enterprise environments has made it a significant target for attackers, resulting in twenty recorded Common Vulnerabilities and Exposures (CVEs). Historically, the most prevalent vulnerability classes involve server-side request forgery (SSRF), remote code execution (RCE), and cross-site scripting (XSS), often stemming from insufficient input validation or improper handling of introspection queries. Notable incidents include critical flaws in the Apollo Server middleware that allowed attackers to execute arbitrary code or bypass authentication mechanisms. These security characteristics highlight the risks associated with complex middleware chains and the necessity for rigorous input sanitization. Organizations utilizing this technology must prioritize regular dependency updates and implement strict access controls to mitigate the potential for data exfiltration or system compromise.

Top products by apollographql: router federation apollo-client-nextjs apollo-rs embeddable-explorer apollo-server apollo-mcp-server
CVE IDTitleCVSSSeverityPublished
CVE-2026-35577 Missing Host Header Validation in Apollo MCP Server for Localhost Deployments — apollo-mcp-serverCWE-346 6.8 Medium2026-04-09
CVE-2026-23897 Apollo Server is vulnerable to denial of service with `startStandaloneServer` — apollo-serverCWE-1333 7.5 High2026-02-04
CVE-2025-64530 @apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields — federationCWE-288 7.5 High2025-11-13
CVE-2025-64347 Apollo Router Improperly Enforces Renamed Access Control Directives — routerCWE-284 7.5 High2025-11-07
CVE-2025-64173 Apollo Router Core: Access Control Bypass on Polymorphic Types — routerCWE-288 7.5 High2025-11-06
CVE-2025-59845 Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass — embeddable-explorerCWE-346 8.2 High2025-09-26
CVE-2025-32380 Apollo Router Query Validation Vulnerable to Excessive Resource Consumption via Named Fragment Processing — routerCWE-770 7.5 High2025-04-09
CVE-2025-32034 Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion — routerCWE-770 7.5 High2025-04-07
CVE-2025-32033 Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow — routerCWE-119 7.5 High2025-04-07
CVE-2025-32032 Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Optimization Bypass — routerCWE-770 7.5 High2025-04-07
CVE-2025-32031 Apollo Gateway Query Planner Vulnerable to Excessive Resource Consumption via Optimization Bypass — federationCWE-770 7.5 High2025-04-07
CVE-2025-32030 Apollo Gateway Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion — federationCWE-770 7.5 High2025-04-07
CVE-2025-31496 apollo-compiler Named Fragment Processing Vulnerability — apollo-rsCWE-770 7.5 High2025-04-07
CVE-2024-43414 Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries — federationCWE-674 7.5 High2024-08-27
CVE-2024-43783 Apollo Router Coprocessors may cause Denial-of-Service when handling request bodies — routerCWE-770 7.5 High2024-08-27
CVE-2024-32971 Defect in query plan cache may cause incorrect operations to be executed in Apollo Router — routerCWE-670 9.1 Critical2024-05-02
CVE-2024-28101 Apollo Router's Compressed Payloads do not respect HTTP Payload Limits — routerCWE-409 7.5 High2024-03-06
CVE-2024-23841 XSS in @apollo/experimental-nextjs-app-support — apollo-client-nextjsCWE-80 8.2 High2024-01-30
CVE-2023-45812 Improper Check or Handling of Exceptional Conditions in apollo-router — routerCWE-754 7.5 High2023-10-18
CVE-2023-41317 Unnamed "Subscription" operation results in Denial-of-Service in apollographql/router — routerCWE-755 7.5 High2023-09-05

This page lists every published CVE security advisory associated with apollographql. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.