DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-HFF2-GCPX-8F4P: GHSA-HFF2-GCPX-8F4P: Apollo Router Core XS-Search Bypass via Read-Only CSRF

#security #cve #cybersecurity #ghsa

GHSA-HFF2-GCPX-8F4P: Apollo Router Core XS-Search Bypass via Read-Only CSRF

Vulnerability ID: GHSA-HFF2-GCPX-8F4P
CVSS Score: 2.3
Published: 2026-03-26

Apollo Router Core versions prior to 2.12.1 contain a vulnerability where a browser-specific bug bypasses Cross-Site Request Forgery (CSRF) protections, enabling Cross-Site Search (XS-Search) attacks on read-only queries. The issue requires specific authentication schemes and non-standard browser behavior to exploit.

TL;DR

A non-compliant browser behavior omits CORS preflight requests for specific Content-Types, allowing malicious sites to execute authenticated GET queries against Apollo Router and perform XS-Search attacks.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Cross-Site Search (XS-Search) via CSRF
  • CWE ID: CWE-352
  • CVSS v4.0 Score: 2.3 (Low)
  • Attack Vector: Network
  • Authentication Required: Victim User (Cookies / Basic Auth)
  • Exploit Status: Theoretical / Browser Dependent

Affected Systems

  • Apollo Router Core
  • Rust Cargo Ecosystem
  • apollo-router: < 1.61.13 (Fixed in: 1.61.13)
  • apollo-router: 2.0.0 to < 2.10.2 (Fixed in: 2.10.2)
  • apollo-router: 2.11.0 to < 2.12.1 (Fixed in: 2.12.1)

Code Analysis

Commit: a72e759

Fix for GHSA-HFF2-GCPX-8F4P enforcing strict Content-Type validation on GET requests

Mitigation Strategies

  • Upgrade Apollo Router Core to version 1.61.13, 2.10.2, or 2.12.1
  • Implement a WAF or Load Balancer rule to block requests with 'message/' in the Content-Type header
  • Deploy a custom Rhai script in the router to explicitly drop non-compliant requests
  • Migrate away from ambient authentication mechanisms (Cookies/Basic Auth) to explicit header-based tokens (Bearer)

Remediation Steps:

  1. Identify the current version of Apollo Router running in your environment.
  2. Update the project dependencies in your Cargo.toml to reference the corresponding fixed version (1.61.13, 2.10.2, or 2.12.1).
  3. Rebuild the router binary using 'cargo build --release'.
  4. Deploy the updated binary to your staging environment and run integration tests.
  5. If patching is delayed, apply the provided Rhai script via the 'router_service' map_request function.
  6. Promote the patched binary or Rhai script configuration to the production environment.

References

Read the full report for GHSA-HFF2-GCPX-8F4P on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)