CVE-2025-59845
BaseFortify
Publication date: 2025-09-26
Last updated on: 2025-09-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apollo | explorer | 3.7.3 |
| apollo | sandbox | 2.7.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site request forgery (CSRF) issue in Apollo Studio Embeddable Explorer and Embeddable Sandbox before versions 3.7.3 and 2.7.2 respectively. It occurs because the client-side code handling window.postMessage events does not validate the origin of messages. As a result, a malicious website can send forged messages to the embedding page, causing the victim's browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim's cookies.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform unauthorized GraphQL queries or mutations on behalf of an authenticated user without their consent. This could lead to unauthorized data access or modification, potentially compromising the confidentiality and integrity of data handled by the GraphQL server.
What immediate steps should I take to mitigate this vulnerability?
Update Apollo Sandbox to version 2.7.2 or later and Apollo Explorer to version 3.7.3 or later to apply the patch that fixes the CSRF vulnerability caused by missing origin validation in the client-side code.