CVE-2021-41248
XSS vulnerability in graphiql (npm)
What is CVE-2021-41248 About?
This vulnerability is an XSS (Cross-Site Scripting) flaw in `graphiql` that affects all versions older than 1.4.7. It allows code injection on operation autocomplete via compromised HTTP schema introspection responses or malicious `schema` prop values. Successful exploitation can lead to exfiltration of user credentials and data.
Affected Software
Technical Details
The XSS vulnerability in graphiql arises from improper escaping of GraphQL type names within dynamic XSS attack surfaces (specifically in onHasCompletion.ts), particularly when populating operation autocomplete suggestions. If graphiql loads a compromised GraphQL schema (either via a malicious HTTP introspection response or a directly provided schema prop), and this schema contains type names with injected HTML, these unescaped names are rendered directly into the DOM (often via innerHTML). When a user interacts with the autocomplete (e.g., by typing '{u'), the injected malicious code executes, leading to client-side code injection. This can be exacerbated if the fetcher implementation allows dynamically setting the schema URL from an attacker-controllable source, enabling phishing attacks where users are tricked into loading a malicious schema.
What is the Impact of CVE-2021-41248?
Successful exploitation may allow attackers to execute arbitrary scripts in the user's browser, enabling data exfiltration, session hijacking, or defacement of the web interface.
What is the Exploitability of CVE-2021-41248?
Exploitation requires the victim to load a vulnerable schema in graphiql, which can occur through a compromised HTTP schema introspection response or a malicious schema prop. The complexity is moderate to high, as it depends on controlling schema content or the schema URL. Authentication is not directly required for the XSS itself, but the ability to deliver the malicious schema might depend on breaching a GraphQL endpoint or tricking a user (phishing). Privilege requirements are low for triggering the XSS in the victim's browser once the schema is loaded. This is a remote, client-side vulnerability delivered via the application's data. Special conditions include graphiql versions older than 1.4.7. The risk factors are significantly increased if custom graphiql implementations allow user-provided schema URLs or if the GraphQL endpoint can be compromised or provide untrusted introspection results.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-41248?
Available Upgrade Options
- graphiql
- >0.5.0, <1.4.7 → Upgrade to 1.4.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/graphql/graphiql/commit/6701b0b626e43800e32413590a295e5c1e3d5419#diff-d45eb76aebcffd27d3a123214487116fa95e0b5a11d70a94a0ce3033ce09f879R110
- https://github.com/graphql/graphiql/security/advisories/GHSA-x4r7-m2q9-69c8
- https://nvd.nist.gov/vuln/detail/CVE-2021-41248
- https://github.com/graphql/graphiql/commit/cb237eeeaf7333c4954c752122261db7520f7bf4
- https://osv.dev/vulnerability/GHSA-x4r7-m2q9-69c8
- https://github.com/graphql/graphiql/commit/b9dec272d89d9c590727fd10d62e4a47e0317fc7#diff-855b77f6310b7e4fb1bcac779cd945092ed49fd759f4684ea391b45101166437R87
- https://github.com/graphql/graphql-playground/security/advisories/GHSA-59r9-6jp6-jcm7
- https://github.com/graphql/graphiql/blob/main/docs/security/2021-introspection-schema-xss.md#2-more-details-on-the-vulnerability
- https://github.com/graphql/graphiql/security/advisories/GHSA-x4r7-m2q9-69c8
- https://github.com/graphql/graphiql
What are Similar Vulnerabilities to CVE-2021-41248?
Similar Vulnerabilities: CVE-2023-28155 , CVE-2022-24990 , CVE-2022-31057 , CVE-2022-23529 , CVE-2022-23530
