Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2019-12437: Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL

Moderate (?)
Versions Affected:
>= 2.0, >= 3.0
Versions Fixed:
2.0.5, 3.1.2, 3.2.0
Release Date:

The code change that implements Cross Site Request Forgery (CSRF) protection on GraphQL mutation queries does not adequately protect users against CSRF attacks on GraphQL endpoints. A GraphQL query formed with a fragment portion before the mutation would bypass the check for determining whether the query is a mutation and therefore the X-CSRF-TOKEN HTTP header is not required to be supplied with the HTTP request.

CVSS 6.8