Search
Find a vulnerability
Search criteria
2 vulnerabilities found for embeddable-explorer by apollographql
CVE-2025-59845 (GCVE-0-2025-59845)
Vulnerability from nvd – Published: 2025-09-26 22:38 – Updated: 2025-09-29 15:02
VLAI
Title
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
Summary
Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies. This issue has been patched in Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/apollographql/embeddable-explo… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| apollographql | embeddable-explorer |
Affected:
< 2.7.2
Affected: < 3.7.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T15:01:34.408985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T15:02:04.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "embeddable-explorer",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
},
{
"status": "affected",
"version": "\u003c 3.7.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apollo Studio Embeddable Explorer \u0026 Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim\u2019s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim\u2019s cookies. This issue has been patched in Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T22:38:57.350Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/embeddable-explorer/security/advisories/GHSA-w87v-7w53-wwxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/embeddable-explorer/security/advisories/GHSA-w87v-7w53-wwxv"
}
],
"source": {
"advisory": "GHSA-w87v-7w53-wwxv",
"discovery": "UNKNOWN"
},
"title": "Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59845",
"datePublished": "2025-09-26T22:38:57.350Z",
"dateReserved": "2025-09-22T14:34:03.472Z",
"dateUpdated": "2025-09-29T15:02:04.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59845 (GCVE-0-2025-59845)
Vulnerability from cvelistv5 – Published: 2025-09-26 22:38 – Updated: 2025-09-29 15:02
VLAI
Title
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
Summary
Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies. This issue has been patched in Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/apollographql/embeddable-explo… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| apollographql | embeddable-explorer |
Affected:
< 2.7.2
Affected: < 3.7.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T15:01:34.408985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T15:02:04.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "embeddable-explorer",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
},
{
"status": "affected",
"version": "\u003c 3.7.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apollo Studio Embeddable Explorer \u0026 Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim\u2019s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim\u2019s cookies. This issue has been patched in Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T22:38:57.350Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/embeddable-explorer/security/advisories/GHSA-w87v-7w53-wwxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/embeddable-explorer/security/advisories/GHSA-w87v-7w53-wwxv"
}
],
"source": {
"advisory": "GHSA-w87v-7w53-wwxv",
"discovery": "UNKNOWN"
},
"title": "Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59845",
"datePublished": "2025-09-26T22:38:57.350Z",
"dateReserved": "2025-09-22T14:34:03.472Z",
"dateUpdated": "2025-09-29T15:02:04.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}