{"id":"CVE-2021-41248","details":"GraphiQL is the reference implementation of this monorepo, GraphQL IDE, an official project under the GraphQL Foundation. All versions of graphiql older than graphiql@1.4.7 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a vulnerable schema in graphiql. There are a number of ways that can occur. By default, the schema URL is not attacker-controllable in graphiql or in its suggested implementations or examples, leaving only very complex attack vectors. If a custom implementation of graphiql's fetcher allows the schema URL to be set dynamically, such as a URL query parameter like ?endpoint= in graphql-playground, or a database provided value, then this custom graphiql implementation is vulnerable to phishing attacks, and thus much more readily available, low or no privelege level xss attacks. The URLs could look like any generic looking graphql schema URL. It should be noted that desktop clients such as Altair, Insomnia, Postwoman, do not appear to be impacted by this. This vulnerability does not impact codemirror-graphql, monaco-graphql or other dependents, as it exists in onHasCompletion.ts in graphiql. It does impact all forks of graphiql, and every released version of graphiql.","aliases":["GHSA-x4r7-m2q9-69c8"],"modified":"2026-03-20T11:44:27.079365Z","published":"2021-11-04T21:15:08.097Z","related":["GHSA-59r9-6jp6-jcm7","GHSA-x4r7-m2q9-69c8"],"references":[{"type":"ADVISORY","url":"https://github.com/graphql/graphiql/security/advisories/GHSA-x4r7-m2q9-69c8"},{"type":"ADVISORY","url":"https://github.com/graphql/graphql-playground/security/advisories/GHSA-59r9-6jp6-jcm7"},{"type":"FIX","url":"https://github.com/graphql/graphiql/commit/cb237eeeaf7333c4954c752122261db7520f7bf4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graphql/graphiql","events":[{"introduced":"edc5da196e7fe88995c6a5813876c1fa8c850c1a"},{"fixed":"8680b75c0709f20007a47590ae0c44fe98dd89dd"},{"fixed":"cb237eeeaf7333c4954c752122261db7520f7bf4"}],"database_specific":{"versions":[{"introduced":"0.5.0"},{"fixed":"1.4.7"}]}}],"versions":["1.3.2","@graphiql/toolkit@0.2.1","@graphiql/toolkit@0.2.2","@graphiql/toolkit@0.3.0","@graphiql/toolkit@0.3.1","@graphiql/toolkit@0.3.2","codemirror-graphql@0.11.0","codemirror-graphql@0.11.1","codemirror-graphql@0.11.2","codemirror-graphql@0.11.3","codemirror-graphql@0.11.4","codemirror-graphql@0.11.5","codemirror-graphql@0.11.6","codemirror-graphql@0.12.0","codemirror-graphql@0.12.0-alpha.0","codemirror-graphql@0.12.0-alpha.10","codemirror-graphql@0.12.0-alpha.11","codemirror-graphql@0.12.0-alpha.3","codemirror-graphql@0.12.0-alpha.4","codemirror-graphql@0.12.0-alpha.5","codemirror-graphql@0.12.0-alpha.6","codemirror-graphql@0.12.0-alpha.7","codemirror-graphql@0.12.0-alpha.8","codemirror-graphql@0.12.0-alpha.9","codemirror-graphql@0.12.1","codemirror-graphql@0.12.2","codemirror-graphql@0.12.2-alpha.0","codemirror-graphql@0.12.2-alpha.1","codemirror-graphql@0.12.2-alpha.2","codemirror-graphql@0.12.3","codemirror-graphql@0.12.4","codemirror-graphql@0.13.0","codemirror-graphql@0.13.1","codemirror-graphql@0.14.0","codemirror-graphql@0.15.0","codemirror-graphql@0.15.1","codemirror-graphql@0.15.2","codemirror-graphql@1.0.0","codemirror-graphql@1.0.2","codemirror-graphql@1.0.3","example-graphiql-cdn@0.0.8","example-graphiql-cdn@0.0.8-alpha.0","example-graphiql-cdn@0.0.8-alpha.3","example-graphiql-cdn@0.0.8-alpha.4","example-graphiql-cdn@0.0.8-alpha.5","example-graphiql-cdn@0.0.8-alpha.6","example-graphiql-create-react-app@0.1.1","example-graphiql-create-react-app@0.1.10","example-graphiql-create-react-app@0.1.11-alpha.0","example-graphiql-create-react-app@0.1.11-alpha.1","example-graphiql-create-react-app@0.1.11-alpha.2","example-graphiql-create-react-app@0.1.11-alpha.3","example-graphiql-create-react-app@0.1.11-alpha.4","example-graphiql-create-react-app@0.1.11-alpha.5","example-graphiql-create-react-app@0.1.11-alpha.6","example-graphiql-create-react-app@0.1.11-alpha.7","example-graphiql-create-react-app@0.1.11-alpha.8","example-graphiql-create-react-app@0.1.2","example-graphiql-create-react-app@0.1.3","example-graphiql-create-react-app@0.1.4","example-graphiql-create-react-app@0.1.5","example-graphiql-create-react-app@0.1.6","example-graphiql-webpack@1.0.0","example-graphiql-webpack@1.0.0-alpha.0","example-graphiql-webpack@1.0.0-alpha.10","example-graphiql-webpack@1.0.0-alpha.11","example-graphiql-webpack@1.0.0-alpha.12","example-graphiql-webpack@1.0.0-alpha.13","example-graphiql-webpack@1.0.0-alpha.3","example-graphiql-webpack@1.0.0-alpha.4","example-graphiql-webpack@1.0.0-alpha.5","example-graphiql-webpack@1.0.0-alpha.6","example-graphiql-webpack@1.0.0-alpha.7","example-graphiql-webpack@1.0.0-alpha.8","example-graphiql-webpack@1.0.0-alpha.9","example-graphiql-webpack@1.1.0","example-graphiql-webpack@1.1.1-alpha.0","example-graphiql-webpack@1.1.1-alpha.1","example-graphiql-webpack@1.1.1-alpha.2","example-graphiql-webpack@1.1.1-alpha.3","example-graphiql-webpack@1.1.1-alpha.4","example-graphiql-webpack@1.1.1-alpha.5","example-graphiql-webpack@1.1.1-alpha.6","example-graphiql-webpack@1.1.1-alpha.7","example-graphiql-webpack@1.1.1-alpha.8","example-monaco-graphql-webpack@1.0.0","example-monaco-graphql-webpack@1.0.0-alpha.4","example-monaco-graphql-webpack@1.0.0-alpha.5","example-monaco-graphql-webpack@1.0.0-alpha.6","example-monaco-graphql-webpack@1.0.0-alpha.7","example-monaco-graphql-webpack@1.0.0-alpha.8","example-monaco-graphql-webpack@1.1.0","example-monaco-graphql-webpack@1.1.1-alpha.0","example-monaco-graphql-webpack@1.1.1-alpha.1","example-monaco-graphql-webpack@1.1.1-alpha.2","example-monaco-graphql-webpack@1.1.1-alpha.3","example-monaco-graphql-webpack@1.1.1-alpha.4","example-monaco-graphql-webpack@1.1.1-alpha.5","example-monaco-graphql-webpack@1.1.1-alpha.6","example-monaco-graphql-webpack@1.1.1-alpha.7","graphiql-2-rfc-context@2.0.0","graphiql-2-rfc-context@2.0.0-alpha.6","graphiql-2-rfc-context@2.0.1","graphiql-2-rfc-context@2.0.2","graphiql-2-rfc-context@2.0.3","graphiql-2-rfc-context@2.0.4","graphiql-2-rfc-context@2.1.0","graphiql-2-rfc-context@2.1.1","graphiql-2-rfc-context@2.1.2","graphiql-example-cdn@0.0.4","graphiql-example-cdn@0.0.5","graphiql-example-cdn@0.0.6","graphiql-example-cdn@0.0.7","graphiql-example-webpack@0.0.10","graphiql-example-webpack@0.0.5","graphiql-example-webpack@0.0.6","graphiql-example-webpack@0.0.7","graphiql-example-webpack@0.0.8","graphiql-example-webpack@0.0.9","graphiql-parcel-example@1.1.0","graphiql-parcel-example@1.1.1","graphiql-parcel-example@1.1.10-alpha.0","graphiql-parcel-example@1.1.10-alpha.1","graphiql-parcel-example@1.1.10-alpha.2","graphiql-parcel-example@1.1.10-alpha.3","graphiql-parcel-example@1.1.10-alpha.4","graphiql-parcel-example@1.1.10-alpha.5","graphiql-parcel-example@1.1.10-alpha.6","graphiql-parcel-example@1.1.10-alpha.7","graphiql-parcel-example@1.1.10-alpha.8","graphiql-parcel-example@1.1.2","graphiql-parcel-example@1.1.3","graphiql-parcel-example@1.1.4","graphiql-parcel-example@1.1.5","graphiql-parcel-example@1.1.9","graphiql@0.15.0","graphiql@0.15.1","graphiql@0.16.0","graphiql@0.17.0","graphiql@0.17.1","graphiql@0.17.2","graphiql@0.17.3","graphiql@0.17.4","graphiql@0.17.5","graphiql@1.0.0","graphiql@1.0.0-alpha.0","graphiql@1.0.0-alpha.10","graphiql@1.0.0-alpha.11","graphiql@1.0.0-alpha.12","graphiql@1.0.0-alpha.13","graphiql@1.0.0-alpha.3","graphiql@1.0.0-alpha.4","graphiql@1.0.0-alpha.5","graphiql@1.0.0-alpha.6","graphiql@1.0.0-alpha.7","graphiql@1.0.0-alpha.8","graphiql@1.0.0-alpha.9","graphiql@1.0.4","graphiql@1.0.5","graphiql@1.0.6","graphiql@1.1.0","graphiql@1.2.0","graphiql@1.2.1","graphiql@1.2.2","graphiql@1.3.0","graphiql@1.3.1","graphiql@1.3.2","graphiql@1.4.0-rc.1","graphiql@1.4.2","graphiql@1.4.3","graphiql@1.4.4","graphiql@1.4.5","graphiql@1.4.6","graphiql@2.0.0-alpha.1","graphiql@2.0.0-alpha.2","graphiql@2.0.0-alpha.3","graphiql@2.0.0-alpha.4","graphiql@2.0.0-alpha.5","graphql-language-service-cli@3.0.0","graphql-language-service-cli@3.0.0-alpha.2","graphql-language-service-cli@3.0.0-alpha.3","graphql-language-service-cli@3.0.0-alpha.4","graphql-language-service-cli@3.0.0-alpha.5","graphql-language-service-cli@3.0.1","graphql-language-service-cli@3.1.0","graphql-language-service-cli@3.1.0-alpha.0","graphql-language-service-cli@3.1.0-alpha.1","graphql-language-service-cli@3.1.0-alpha.2","graphql-language-service-cli@3.1.0-alpha.3","graphql-language-service-cli@3.1.0-alpha.4","graphql-language-service-cli@3.1.0-alpha.5","graphql-language-service-cli@3.1.1","graphql-language-service-cli@3.1.10","graphql-language-service-cli@3.1.11","graphql-language-service-cli@3.1.12","graphql-language-service-cli@3.1.14","graphql-language-service-cli@3.1.2","graphql-language-service-cli@3.1.3","graphql-language-service-cli@3.1.4","graphql-language-service-cli@3.1.5","graphql-language-service-cli@3.1.6","graphql-language-service-cli@3.1.7","graphql-language-service-cli@3.1.8","graphql-language-service-cli@3.1.9","graphql-language-service-interface@2.3.0","graphql-language-service-interface@2.3.1","graphql-language-service-interface@2.3.2","graphql-language-service-interface@2.3.3","graphql-language-service-interface@2.4.0","graphql-language-service-interface@2.4.0-alpha.0","graphql-language-service-interface@2.4.0-alpha.10","graphql-language-service-interface@2.4.0-alpha.11","graphql-language-service-interface@2.4.0-alpha.3","graphql-language-service-interface@2.4.0-alpha.4","graphql-language-service-interface@2.4.0-alpha.5","graphql-language-service-interface@2.4.0-alpha.6","graphql-language-service-interface@2.4.0-alpha.7","graphql-language-service-interface@2.4.0-alpha.8","graphql-language-service-interface@2.4.0-alpha.9","graphql-language-service-interface@2.4.1","graphql-language-service-interface@2.4.2","graphql-language-service-interface@2.4.2-alpha.0","graphql-language-service-interface@2.4.2-alpha.1","graphql-language-service-interface@2.4.2-alpha.2","graphql-language-service-interface@2.4.3","graphql-language-service-interface@2.5.0","graphql-language-service-interface@2.6.0","graphql-language-service-interface@2.7.0","graphql-language-service-interface@2.8.0","graphql-language-service-interface@2.8.1","graphql-language-service-interface@2.8.2","graphql-language-service-interface@2.8.3","graphql-language-service-interface@2.8.4","graphql-language-service-parser@1.5.0","graphql-language-service-parser@1.5.1","graphql-language-service-parser@1.5.2","graphql-language-service-parser@1.5.3-alpha.0","graphql-language-service-parser@1.6.0","graphql-language-service-parser@1.6.0-alpha.1","graphql-language-service-parser@1.6.0-alpha.2","graphql-language-service-parser@1.6.0-alpha.3","graphql-language-service-parser@1.6.0-alpha.4","graphql-language-service-parser@1.6.0-alpha.5","graphql-language-service-parser@1.6.0-alpha.6","graphql-language-service-parser@1.6.1","graphql-language-service-parser@1.6.2","graphql-language-service-parser@1.6.3","graphql-language-service-parser@1.6.4","graphql-language-service-parser@1.6.5","graphql-language-service-parser@1.7.0","graphql-language-service-parser@1.8.0","graphql-language-service-parser@1.9.0","graphql-language-service-parser@1.9.1","graphql-language-service-parser@1.9.2","graphql-language-service-parser@1.9.3","graphql-language-service-server@2.3.0","graphql-language-service-server@2.3.1","graphql-language-service-server@2.3.2","graphql-language-service-server@2.3.3","graphql-language-service-server@2.4.0","graphql-language-service-server@2.4.0-alpha.0","graphql-language-service-server@2.4.0-alpha.10","graphql-language-service-server@2.4.0-alpha.11","graphql-language-service-server@2.4.0-alpha.12","graphql-language-service-server@2.4.0-alpha.3","graphql-language-service-server@2.4.0-alpha.4","graphql-language-service-server@2.4.0-alpha.5","graphql-language-service-server@2.4.0-alpha.6","graphql-language-service-server@2.4.0-alpha.7","graphql-language-service-server@2.4.0-alpha.8","graphql-language-service-server@2.4.0-alpha.9","graphql-language-service-server@2.4.1","graphql-language-service-server@2.5.0","graphql-language-service-server@2.5.0-alpha.0","graphql-language-service-server@2.5.0-alpha.1","graphql-language-service-server@2.5.0-alpha.2","graphql-language-service-server@2.5.0-alpha.3","graphql-language-service-server@2.5.0-alpha.4","graphql-language-service-server@2.5.0-alpha.5","graphql-language-service-server@2.5.1","graphql-language-service-server@2.5.2","graphql-language-service-server@2.5.3","graphql-language-service-server@2.5.4","graphql-language-service-server@2.5.5","graphql-language-service-server@2.5.6","graphql-language-service-server@2.5.7","graphql-language-service-server@2.5.8","graphql-language-service-server@2.5.9","graphql-language-service-server@2.6.0","graphql-language-service-server@2.6.1","graphql-language-service-server@2.6.2","graphql-language-service-server@2.6.3","graphql-language-service-server@2.6.4","graphql-language-service-server@2.6.5","graphql-language-service-types@1.5.0","graphql-language-service-types@1.5.1","graphql-language-service-types@1.5.2","graphql-language-service-types@1.6.0","graphql-language-service-types@1.6.0-alpha.0","graphql-language-service-types@1.6.0-alpha.3","graphql-language-service-types@1.6.0-alpha.4","graphql-language-service-types@1.6.0-alpha.5","graphql-language-service-types@1.6.0-alpha.6","graphql-language-service-types@1.6.0-alpha.7","graphql-language-service-types@1.6.0-alpha.8","graphql-language-service-types@1.6.1","graphql-language-service-types@1.6.2","graphql-language-service-types@1.6.3","graphql-language-service-types@1.7.0","graphql-language-service-types@1.8.0","graphql-language-service-types@1.8.2","graphql-language-service-utils@2.3.0","graphql-language-service-utils@2.3.1","graphql-language-service-utils@2.3.2","graphql-language-service-utils@2.3.3","graphql-language-service-utils@2.4.0","graphql-language-service-utils@2.4.0-alpha.0","graphql-language-service-utils@2.4.0-alpha.3","graphql-language-service-utils@2.4.0-alpha.4","graphql-language-service-utils@2.4.0-alpha.5","graphql-language-service-utils@2.4.0-alpha.6","graphql-language-service-utils@2.4.0-alpha.7","graphql-language-service-utils@2.4.0-alpha.8","graphql-language-service-utils@2.4.0-alpha.9","graphql-language-service-utils@2.4.1","graphql-language-service-utils@2.4.2","graphql-language-service-utils@2.4.3","graphql-language-service-utils@2.4.4","graphql-language-service-utils@2.5.0","graphql-language-service-utils@2.5.1","graphql-language-service-utils@2.5.2","graphql-language-service-utils@2.5.3","graphql-language-service@2.3.0","graphql-language-service@2.3.1","graphql-language-service@2.3.2","graphql-language-service@2.3.3","graphql-language-service@2.3.4","graphql-language-service@2.4.0-alpha.0","graphql-language-service@2.4.0-alpha.3","graphql-language-service@2.4.0-alpha.4","graphql-language-service@2.4.0-alpha.5","graphql-language-service@2.4.0-alpha.6","graphql-language-service@2.4.0-alpha.7","graphql-language-service@2.4.0-alpha.8","graphql-language-service@3.0.0","graphql-language-service@3.0.0-alpha.1","graphql-language-service@3.0.0-alpha.2","graphql-language-service@3.0.0-alpha.3","graphql-language-service@3.0.0-alpha.4","graphql-language-service@3.0.1","graphql-language-service@3.0.2","graphql-language-service@3.0.2-alpha.0","graphql-language-service@3.0.2-alpha.1","graphql-language-service@3.0.2-alpha.2","graphql-language-service@3.0.2-alpha.3","graphql-language-service@3.0.3","graphql-language-service@3.0.4","graphql-language-service@3.0.5","graphql-language-service@3.0.6","graphql-language-service@3.1.0","graphql-language-service@3.1.1","graphql-language-service@3.1.2","graphql-language-service@3.1.3","graphql-language-service@3.1.4","graphql-language-service@3.1.5","graphql-language-service@3.1.6","graphql-languageservice@2.4.0-alpha.8","latest","monaco-graphql@0.1.0","monaco-graphql@0.1.1","monaco-graphql@0.1.2","monaco-graphql@0.1.3","monaco-graphql@0.1.4","monaco-graphql@0.2.0","monaco-graphql@0.3.0","monaco-graphql@0.3.1","monaco-graphql@0.3.1-alpha.0","monaco-graphql@0.3.1-alpha.1","monaco-graphql@0.3.1-alpha.2","monaco-graphql@0.3.1-alpha.3","monaco-graphql@0.3.2","monaco-graphql@0.3.3","monaco-graphql@0.3.4","monaco-graphql@0.3.5","monaco-graphql@0.4.0","monaco-graphql@0.4.1","monaco-graphql@0.4.2","monaco-graphql@0.4.4","monaco-graphql@0.5.0","monaco-graphql@0.5.1","v0.0.0","v0.0.1","v0.0.2","v0.0.22","v0.1.0-0","v0.1.1-0","v0.1.10","v0.1.11","v0.1.12","v0.1.13","v0.1.14","v0.1.2-0","v0.1.3-0","v0.1.4-0","v0.1.5","v0.1.5-0","v0.1.6","v0.1.7","v0.1.8","v0.1.9","v0.10.0","v0.10.1","v0.10.2","v0.11.0","v0.11.1","v0.11.10","v0.11.11","v0.11.2","v0.11.3","v0.11.4","v0.11.5","v0.11.6","v0.11.7","v0.11.8","v0.12.0","v0.13.0","v0.13.1","v0.13.2","v0.2.1","v0.2.2","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v0.5.4","v0.5.5","v0.5.6","v0.5.7","v0.5.8","v0.5.9","v0.6.0","v0.6.1","v0.6.10","v0.6.11","v0.6.12","v0.6.2","v0.6.3","v0.6.4","v0.6.5","v0.6.6","v0.6.7","v0.6.8","v0.6.9","v0.7.0","v0.7.1","v0.7.2","v0.7.3","v0.7.4","v0.7.5","v0.7.6","v0.7.7","v0.7.8","v0.8.0","v0.8.1","v0.8.2","v0.8.3","v0.9.0","v0.9.1","v0.9.2","v0.9.3","v1.0.15","v1.0.16","v1.0.18","v1.1.0","v1.1.1","v1.1.2","v1.2.2","v2.0.0","v2.0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41248.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}