VYPR
Get started
← All advisories
High severity8.2OSV Advisory· Published Sep 26, 2025· Updated Apr 15, 2026

CVE-2025-59845

CVE-2025-59845

Description

Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies. This issue has been patched in Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@apollo/sandboxnpm
< 2.7.22.7.2
@apollo/explorernpm
< 3.7.33.7.3

Affected products

1

Patches

1
e6d760d1635b

Merge pull request #330 from apollographql/changeset-release/main

https://github.com/apollographql/embeddable-explorerJeffrey BurtSep 18, 2025via osv
commit
5 files changed · +14 8
  • .changeset/great-bats-fly.md+0 6 removed
    @@ -1,6 +0,0 @@
----
-'@apollo/explorer': patch
-'@apollo/sandbox': patch
----
-
-fix a CSRF vulnerability that allowed attackers to pass through authenticated cookies though postMessage requests
  • packages/explorer/CHANGELOG.md+6 0 modified
    @@ -1,5 +1,11 @@
 # @apollo/explorer
 
+## 3.7.3
+
+### Patch Changes
+
+- [#329](https://github.com/apollographql/embeddable-explorer/pull/329) [`8c7be6b`](https://github.com/apollographql/embeddable-explorer/commit/8c7be6b4ffcf8f76287fc01d43b210073d571fd6) Thanks [@esilverm](https://github.com/esilverm)! - fix a CSRF vulnerability that allowed attackers to pass through authenticated cookies though postMessage requests
+
 ## 3.7.2
 
 ### Patch Changes
  • packages/explorer/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "@apollo/explorer",
-  "version": "3.7.2",
+  "version": "3.7.3",
   "author": "packages@apollographql.com",
   "license": "MIT",
   "repository": {
  • packages/sandbox/CHANGELOG.md+6 0 modified
    @@ -1,5 +1,11 @@
 # @apollo/sandbox
 
+## 2.7.2
+
+### Patch Changes
+
+- [#329](https://github.com/apollographql/embeddable-explorer/pull/329) [`8c7be6b`](https://github.com/apollographql/embeddable-explorer/commit/8c7be6b4ffcf8f76287fc01d43b210073d571fd6) Thanks [@esilverm](https://github.com/esilverm)! - fix a CSRF vulnerability that allowed attackers to pass through authenticated cookies though postMessage requests
+
 ## 2.7.1
 
 ### Patch Changes
  • packages/sandbox/package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {
   "name": "@apollo/sandbox",
-  "version": "2.7.1",
+  "version": "2.7.2",
   "author": "packages@apollographql.com",
   "license": "MIT",
   "repository": {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.