CVE-2025-59845

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-59845

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59845.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-59845

Aliases

GHSA-w87v-7w53-wwxv

Published

2025-09-26T22:38:57.350Z

Modified

2025-12-02T20:15:55.523264Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N CVSS Calculator

Summary

Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass

Details

Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies. This issue has been patched in Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59845.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-346",
        "CWE-352"
    ]
}

References

Affected packages

Git / github.com/apollographql/embeddable-explorer

Affected ranges

Type

GIT

Repo

https://github.com/apollographql/embeddable-explorer

Events

Introduced

Fixed

e6d760d1635bae698abf1ad2a286761c4364491e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.7.2"
        },
        {
            "fixed": "3.7.3"
        }
    ]
}

Affected versions

@apollo/explorer-helpers@0.*

@apollo/explorer-helpers@0.1.0

@apollo/explorer-helpers@0.1.1

@apollo/explorer-helpers@0.1.2

@apollo/explorer-helpers@0.1.4

@apollo/explorer-helpers@0.1.5

@apollo/explorer@1.*

@apollo/explorer@1.0.0

@apollo/explorer@1.1.0

@apollo/explorer@1.1.1

@apollo/explorer@1.2.0

@apollo/explorer@2.*

@apollo/explorer@2.0.0

@apollo/explorer@2.0.1

@apollo/explorer@2.0.2

@apollo/explorer@3.*

@apollo/explorer@3.0.0

@apollo/explorer@3.1.0

@apollo/explorer@3.1.1

@apollo/explorer@3.2.0

@apollo/explorer@3.3.0

@apollo/explorer@3.4.0

@apollo/explorer@3.5.0

@apollo/explorer@3.6.0

@apollo/explorer@3.7.0

@apollo/explorer@3.7.1

@apollo/explorer@3.7.2

@apollo/sandbox@0.*

@apollo/sandbox@0.1.0

@apollo/sandbox@0.2.0

@apollo/sandbox@0.2.1

@apollo/sandbox@0.3.0

@apollo/sandbox@1.*

@apollo/sandbox@1.0.0

@apollo/sandbox@1.0.1

@apollo/sandbox@1.0.2

@apollo/sandbox@1.0.3

@apollo/sandbox@2.*

@apollo/sandbox@2.0.0

@apollo/sandbox@2.1.0

@apollo/sandbox@2.1.1

@apollo/sandbox@2.2.0

@apollo/sandbox@2.3.0

@apollo/sandbox@2.4.0

@apollo/sandbox@2.5.0

@apollo/sandbox@2.5.1

@apollo/sandbox@2.6.0

@apollo/sandbox@2.7.0

@apollo/sandbox@2.7.1

v0.*

v0.2.1

v0.3.0

v0.3.1

v0.3.2

v0.4.0

v0.4.1

v0.4.2

v0.5.0

v0.5.1

v0.5.2

v0.6.0