cvedb.io
CVE-2021-41249
HIGH · CVSS 7.1
EPSS exploitation probability: 0%
Published 2021-11-04T20:15:08.597 · Last modified 2026-06-17T04:08:10.460

Summary

GraphQL Playground is a GraphQL IDE for development of graphQL focused applications. All versions of graphql-playground-react older than [email protected] are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a malicious schema in graphql-playground. There are several ways this can occur, including by specifying the URL to a malicious schema in the endpoint query parameter. If a user clicks on a link to a GraphQL Playground installation that specifies a malicious server, arbitrary JavaScript can run in the user's browser, which can be used to exfiltrate user

Affected products

graphql — playground

Does this affect you?

Add your gear to cvedb and we'll alert you only when graphql ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.