Login Sign Up

CVE-2020-4038

7.4 HIGH
Cross-Site Scripting

📋 TL;DR

CVE-2020-4038 is a severe cross-site scripting (XSS) vulnerability in GraphQL Playground's HTML rendering component. It allows attackers to inject malicious scripts through unsanitized user input passed to the renderPlaygroundPage() method, potentially compromising user sessions and data. This affects all applications using vulnerable versions of graphql-playground-html and related middleware packages.

💻 Affected Systems

Products:
  • graphql-playground-html
  • graphql-playground-middleware-express
  • graphql-playground-middleware-koa
  • graphql-playground-middleware-lambda
  • graphql-playground-middleware-hapi
Versions: graphql-playground-html < 1.6.22, graphql-playground-middleware-express < 1.7.16, graphql-playground-middleware-koa < 1.6.15, graphql-playground-middleware-lambda < 1.7.17, graphql-playground-middleware-hapi < 1.6.13
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using the vulnerable renderPlaygroundPage() method with unsanitized user input is affected. The vulnerability is in the HTML rendering component, not the GraphQL engine itself.

📦 What is this software?

Graphql Playground Html by Prisma

View all CVEs affecting Graphql Playground Html →

Graphql Playground Middleware Express by Prisma

View all CVEs affecting Graphql Playground Middleware Express →

Graphql Playground Middleware Hapi by Prisma

View all CVEs affecting Graphql Playground Middleware Hapi →

Graphql Playground Middleware Koa by Prisma

View all CVEs affecting Graphql Playground Middleware Koa →

Graphql Playground Middleware Lambda by Prisma

View all CVEs affecting Graphql Playground Middleware Lambda →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can execute arbitrary JavaScript in users' browsers, leading to session hijacking, credential theft, complete account takeover, and data exfiltration from affected applications.

🟠

Likely Case

Attackers inject malicious scripts to steal session cookies or authentication tokens, enabling unauthorized access to user accounts and sensitive data within the application.

🟢

If Mitigated

With proper input validation and output encoding, the XSS payloads would be neutralized, preventing script execution and limiting impact to data display issues.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XSS vulnerabilities are commonly exploited with readily available payloads. The advisory includes technical details that could facilitate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: graphql-playground-html 1.6.22, graphql-playground-middleware-express 1.7.16, graphql-playground-middleware-koa 1.6.15, graphql-playground-middleware-lambda 1.7.17, graphql-playground-middleware-hapi 1.6.13

Vendor Advisory: https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf

Restart Required: Yes

Instructions:

1. Identify which graphql-playground package(s) your application uses. 2. Update package.json to specify the patched version. 3. Run 'npm update' or 'yarn upgrade' for the affected packages. 4. Restart your application server. 5. Verify the update by checking package versions.

🔧 Temporary Workarounds

Input Sanitization Wrapper

all

Implement custom input sanitization before passing user data to renderPlaygroundPage() method

// JavaScript example: Use DOMPurify or similar library to sanitize inputs
const cleanInput = DOMPurify.sanitize(userInput);
renderPlaygroundPage({...options, userInput: cleanInput});

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to block inline scripts and restrict script sources
  • Disable GraphQL Playground in production environments or restrict access to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for affected package versions. For npm: 'npm list graphql-playground-html' and similar for middleware packages.

Check Version:

npm list graphql-playground-html graphql-playground-middleware-express graphql-playground-middleware-koa graphql-playground-middleware-lambda graphql-playground-middleware-hapi

Verify Fix Applied:

After updating, verify installed versions match patched versions using 'npm list' or check package-lock.json.

📡 Detection & Monitoring

Log Indicators:

  • Unusual long strings or script-like patterns in GraphQL playground requests
  • Multiple failed attempts with malformed input to playground endpoints

Network Indicators:

  • HTTP requests containing JavaScript payloads to GraphQL playground endpoints
  • Unexpected outbound connections from user browsers after visiting playground

SIEM Query:

source="web_server" AND (uri_path="/graphql" OR uri_path="/playground") AND (http_user_agent CONTAINS "script" OR request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2020-4038
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
CWE: CWE-79
Published: June 8, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-4038, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)