Home > Vulnerability Database > WS-2022-0276

Mend.io Vulnerability Database

WS-2022-0276

Good to know:

Date: August 19, 2025

The default landing page contained HTML to display a sample curl command which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser from window.location.href. On some older browsers such as IE11, this value is not URI-encoded. On such browsers, opening a malicious URL pointing at an Apollo Router could cause execution of attacker-controlled JavaScript.

Language: JS

Severity Score

8.8

Related Resources (4)

Url: https://github.com/apollographql/apollo-server/commit/68a439b6e3af9edc8a2480092f2d49f058be1e64

Url: https://github.com/apollographql/apollo-server/security/advisories/GHSA-2fvv-qxrq-7jq6

Url: https://github.com/apollographql/apollo-server

Url: https://www.mend.io/vulnerability-database/WS-2022-0276

Severity Score

8.8

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2022-0276

Good to know:

Date: August 19, 2025

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?