Impact

The default landing page contained HTML to display a sample curl command which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser from window.location.href. On some older browsers such as IE11, this value is not URI-encoded. On such browsers, opening a malicious URL pointing at an Apollo Router could cause execution of attacker-controlled JavaScript.

This only affects Apollo Routers where the landing page has not been disabled. This issue was introduced in v0.1.0-alpha.7 when the landing page was added.

Patches

To avoid this, the sample curl command has been removed in release 0.15.1.

Workarounds

Disabling the landing page in the Apollo router configuration prevents displaying the example:

server:
  landing_page: false

See also

A similar issue exists in the default landing page of Apollo Server 3.0. See the corresponding Apollo Server security advisory.

For more information

If you have any questions or comments about this advisory:

• Open an issue in the Apollo router repository
• Email us at [email protected]

Credits

This issue was discovered by Adrian Denkiewicz of Doyensec.