SCA: security update for graphiql (GHSA-x4r7-m2q9-69c8)

medium Tenable Self-Hosted Container Security Plugin ID 420288

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- GraphiQL is the reference implementation of this monorepo, GraphQL IDE, an official project under the
GraphQL Foundation. All versions of graphiql older than [email protected] are vulnerable to compromised HTTP
schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic
XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to
take place, the user must load a vulnerable schema in graphiql. There are a number of ways that can occur.
By default, the schema URL is not attacker-controllable in graphiql or in its suggested implementations or
examples, leaving only very complex attack vectors. If a custom implementation of graphiql's fetcher
allows the schema URL to be set dynamically, such as a URL query parameter like ?endpoint= in graphql-
playground, or a database provided value, then this custom graphiql implementation is vulnerable to
phishing attacks, and thus much more readily available, low or no privelege level xss attacks. The URLs
could look like any generic looking graphql schema URL. It should be noted that desktop clients such as
Altair, Insomnia, Postwoman, do not appear to be impacted by this. This vulnerability does not impact
codemirror-graphql, monaco-graphql or other dependents, as it exists in onHasCompletion.ts in graphiql. It
does impact all forks of graphiql, and every released version of graphiql. (CVE-2021-41248)

See Also

https://github.com/advisories/GHSA-x4r7-m2q9-69c8

Plugin Details

Severity: Medium

ID: 420288

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 1.9

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2021-41248

CVSS v3

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 4.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/8/2021

Vulnerability Publication Date: 11/4/2021

Reference Information

CVE: CVE-2021-41248

cwe: CWE-79