Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2019-12437: Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL

Medium (?)
Versions Affected:
silverstripe/graphql:^2.0, silverstripe/graphql:^3.0
Versions Fixed:
silverstripe/graphql:2.0.5, silverstripe/graphql:3.1.2, silverstripe/graphql:3.2.0
Release Date:

The code change that implements Cross Site Request Forgery (CSRF) protection on GraphQL mutation queries does not adequately protect users against CSRF attacks on GraphQL endpoints. A GraphQL query formed with a fragment portion before the mutation would bypass the check for determining whether the query is a mutation and therefore the X-CSRF-TOKEN HTTP header is not required to be supplied with the HTTP request.

CVSS 6.8