CVE-2019-12437: Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Medium (?)
Identifier:: CVE-2019-12437
Versions Affected:: silverstripe/graphql:^2.0, silverstripe/graphql:^3.0
Versions Fixed:: silverstripe/graphql:2.0.5, silverstripe/graphql:3.1.2, silverstripe/graphql:3.2.0
Release Date:: 2019-06-10

The code change that implements Cross Site Request Forgery (CSRF) protection on GraphQL mutation queries does not adequately protect users against CSRF attacks on GraphQL endpoints. A GraphQL query formed with a fragment portion before the mutation would bypass the check for determining whether the query is a mutation and therefore the X-CSRF-TOKEN HTTP header is not required to be supplied with the HTTP request.

CVSS 6.8