CVE-2019-12437: Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL
- Medium (?)
- Versions Affected:
- silverstripe/graphql:^2.0, silverstripe/graphql:^3.0
- Versions Fixed:
- silverstripe/graphql:2.0.5, silverstripe/graphql:3.1.2, silverstripe/graphql:3.2.0
- Release Date:
The code change that implements Cross Site Request Forgery (CSRF) protection on GraphQL mutation queries does not adequately protect users against CSRF attacks on GraphQL endpoints. A GraphQL query formed with a fragment portion before the mutation would bypass the check for determining whether the query is a mutation and therefore the X-CSRF-TOKEN HTTP header is not required to be supplied with the HTTP request.