GHSA-9Q82-XGWF-VJ6H: GHSA-9Q82-XGWF-VJ6H: XS-Search and CSRF Prevention Bypass in Apollo Server

GHSA-9Q82-XGWF-VJ6H: XS-Search and CSRF Prevention Bypass in Apollo Server

Vulnerability ID: GHSA-9Q82-XGWF-VJ6H
CVSS Score: 7.5
Published: 2026-03-26

Apollo Server contains a vulnerability that allows for the bypass of its built-in XS-Search and read-only Cross-Site Request Forgery (CSRF) prevention mechanisms. This bypass is triggered by a non-spec-compliant browser behavior related to CORS preflight requests.

TL;DR

A flaw in Apollo Server prior to version 5.5.0 allows attackers to bypass CSRF protections via crafted GET requests, enabling XS-Search attacks to exfiltrate sensitive data through timing side channels.

---

⚠️ Exploit Status: POC

Technical Details

• Vulnerability Type: Cross-Site Request Forgery (CSRF) / XS-Search
• CWE ID: CWE-352
• Attack Vector: Network (Cross-Origin)
• Authentication Required: None (Target user must be authenticated)
• Impact: Information Disclosure (Confidentiality)
• Exploit Status: Proof of Concept / Theoretical

Affected Systems

• @apollo/server
• @apollo/server/standalone
• @apollo/server-integration-testsuite
• @apollo/server: < 5.5.0 (Fixed in: 5.5.0)
• @apollo/server/standalone: < 5.5.0 (Fixed in: 5.5.0)

Code Analysis

Commit: ada1200

Fix XS-Search vulnerability by strictly validating GET request Content-Type headers.

Mitigation Strategies

• Upgrade to Apollo Server version 5.5.0 or later.
• Implement WAF rules to drop HTTP GET requests to GraphQL endpoints that contain non-standard Content-Type headers.
• Configure reverse proxies to strip Content-Type headers from GET requests if they do not match application/json.

Remediation Steps:

1. Identify all deployments utilizing @apollo/server or @apollo/server/standalone.
2. Update the package dependencies in package.json to require version >= 5.5.0.
3. Execute the package manager update command (e.g., npm install or yarn install).
4. Deploy the updated application to staging environments and execute integration tests.
5. Promote the patched application to production environments.

References

• GitHub Advisory: GHSA-9Q82-XGWF-VJ6H
• Apollo Server Security Docs: CORS
• Fix Commit: ada12001c4e95b5c779d80314a5a32e33087b5cf
• Release Notes: @apollo/server@5.5.0

---

Read the full report for GHSA-9Q82-XGWF-VJ6H on our website for more details including interactive diagrams and full exploit analysis.