GraphQL IDE

Description

A GraphQL IDE provides an interface for users to interact with the Endpoint, but an IDE can also leave room for potential vulnerabilities.

Remediation

Disable GraphQL IDE, or restrict it. Head over to your specific engine documentation to know how to do it.

Apollo

GraphQL Playground is deprecated and disabled by default since Apollo v3. If you installed it voluntarily with the corresponding plugin, you should consider disabling it to improve security.

If you still use Apollo v2, you can disable GraphQL Playground by either:

• Setting the environment variable NODE_ENV to production
• Explicitly disabling it:

  const server = new ApolloServer({
    // ...
    playground: false,
  });

Source:

• Apollo v2 Documentation
• Apollo v3 Documentation

Configuration

CheckId: information_disclosure/graphql_ide

Examples

Ignoring this check

{
    "checks": {
        "information_disclosure/graphql_ide": {
            "skip": true
        }
    }
}

Score

• Escape Severity: LOW

• OWASP: A07:2023

• CWE

  • 200
  • 489
  • 668
  • 1295

CVSS

• CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
• CVSS_SCORE: 4.8

References