CVE-2025-59845
Description
Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies. This issue has been patched in Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@apollo/sandboxnpm | < 2.7.2 | 2.7.2 |
@apollo/explorernpm | < 3.7.3 | 3.7.3 |
Affected products
3- Range: @apollo/explorer-helpers@0.1.0, @apollo/explorer-helpers@0.1.1, @apollo/explorer-helpers@0.1.2, …
- ghsa-coords2 versions
< 3.7.3+ 1 more
- (no CPE)range: < 3.7.3
- (no CPE)range: < 2.7.2
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.