Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apollo-server-express dependency on cookie <7.0 (CVE-2024-47764) #7936

Closed
WilliamForbesJr opened this issue Oct 11, 2024 · 2 comments · Fixed by #7952
Closed

apollo-server-express dependency on cookie <7.0 (CVE-2024-47764) #7936

WilliamForbesJr opened this issue Oct 11, 2024 · 2 comments · Fixed by #7952

Comments

@WilliamForbesJr
Copy link

Issue Description

Express dependency on cookie <7.0 CVE-2024-47764

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the cookie name, path, or domain, which can be used to set unexpected values to other cookie fields.

Link to Reproduction

GHSA-pxg6-pf52-xh8x

Reproduction Steps

Express dependency on cookie <7.0 CVE-2024-47764
@WilliamForbesJr WilliamForbesJr mentioned this issue Oct 11, 2024
Closed
@glasser
Copy link
Member

glasser commented Oct 29, 2024

I'll put out a patch release that includes this upgrade, because it's nice to not have copies of modules with CVEs installed in your server. However, I don't think there's an actual vulnerability here (assuming you are using Apollo Server in a typesafe way respecting our TypeScript declarations).

Apollo Server 4 uses Express in two ways.

First, it exports an expressMiddleware function. The code for this function does not actually link in any code from express at runtime — the caller of this function needs to install their own copy of express and create the Express app that way. So while users of expressMiddleware should upgrade their copy of express to avoid this CVE, whether or not @apollo/server was built against an older version is not relevant.

Second, it exports startStandaloneServer, which actually does create an Express app. The only vulnerable part of Express (as far as I can tell) are the res.cookie and res.clearCookie functions. A user of startStandaloneServer could hypothetically call these functions in their context function. But they should not — the context function passed to startStandaloneServer explicitly chooses to define its options using types from the base Node http package rather than Express types, because depending on the internal fact that startStandaloneServer is built on Express is not intended. So the only way to call the res.cookie/res.clearCookie functions is to ignore the type declarations for startStandaloneServer (whether by using an unsafe language like JavaScript or an as cast in TypeScript). You can introduce arbitrary security problems into your code if you override our type safety requirements, so I don't consider this to be a real vulnerability in Apollo Server 4.

(Apollo Server 2 and 3 have a different relationship to Express, in the apollo-server-express package instead of @apollo/server; however, these versions are end-of-life and we no longer guarantee security updates. Additionally, express is a peer dependency of apollo-server-express rather than a direct dependency, which means users of these obsolete versions just need to upgrade their own dependency on express to get the right version.)

glasser added a commit that referenced this issue Oct 29, 2024
@glasser
deps: upgrade express to v4.21.1 to quiet automated scans
0f91124 
`@apollo/server` depends on `express` which depends on `cookie`.
Versions of `express` older than v4.21.1 depend on a version of `cookie`
vulnerable to CVE-2024-47764. Users of older `express` versions who call
`res.cookie()` or `res.clearCookie()` may be vulnerable to this issue.

However, Apollo Server does not call this function directly, and it does
not expose any object to user code that allows TypeScript users to call
this function without an unsafe cast.

The only way that this direct dependency can cause a vulnerability for
users of Apollo Server is if you call `startStandaloneServer` with a
context function that calls Express-specific methods such as
`res.cookie()` or `res.clearCookies()` on the response object, which is
a violation of the TypeScript types provided by `startStandaloneServer`
(which only promise that the response object is a core Node.js
`http.ServerResponse` rather than the Express-specific subclass). So
this vulnerability can only affect Apollo Server users who use unsafe
JavaScript or unsafe `as` typecasts in TypeScript.

However, this upgrade will at least prevent vulnerability scanners from
alerting you to this dependency, and we encourage all Express users to
upgrade their project's own `express` dependency to v4.21.1 or newer.

Fixes #7936.
@glasser glasser mentioned this issue Oct 29, 2024
Merged
@github-actions GitHub Actions
Copy link
Contributor

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
For general questions, we recommend using StackOverflow or our discord server.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@glasser @WilliamForbesJr