{"id":"CVE-2021-41249","details":"GraphQL Playground is a GraphQL IDE for development of graphQL focused applications. All versions of graphql-playground-react older than graphql-playground-react@1.7.28 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a malicious schema in graphql-playground. There are several ways this can occur, including by specifying the URL to a malicious schema in the endpoint query parameter. If a user clicks on a link to a GraphQL Playground installation that specifies a malicious server, arbitrary JavaScript can run in the user's browser, which can be used to exfiltrate user credentials or other harmful goals. If you are using graphql-playground-react directly in your client app, upgrade to version 1.7.28 or later.","aliases":["GHSA-59r9-6jp6-jcm7"],"modified":"2026-04-10T04:38:24.817624Z","published":"2021-11-04T20:15:08.597Z","related":["GHSA-59r9-6jp6-jcm7","GHSA-x4r7-m2q9-69c8"],"references":[{"type":"ADVISORY","url":"https://github.com/graphql/graphql-playground/security/advisories/GHSA-59r9-6jp6-jcm7"},{"type":"ADVISORY","url":"https://github.com/graphql/graphiql/security/advisories/GHSA-x4r7-m2q9-69c8"},{"type":"FIX","url":"https://github.com/graphql/graphql-playground/commit/b8a956006835992f12c46b90384a79ab82bcadad"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graphql/graphql-playground","events":[{"introduced":"0"},{"fixed":"220a7c19030fe15fc309082c3163b109a72a1551"},{"fixed":"b8a956006835992f12c46b90384a79ab82bcadad"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.7.28"}]}}],"versions":["1.3.8-beta.1","1.5.3","1.6.2","graphql-playground-electron@1.8.11","graphql-playground-electron@1.8.12","graphql-playground-electron@1.8.13","graphql-playground-electron@1.8.14","graphql-playground-electron@1.8.15","graphql-playground-html@1.6.23","graphql-playground-html@1.6.26","graphql-playground-html@1.6.27","graphql-playground-html@1.6.28","graphql-playground-html@1.6.29","graphql-playground-middleware-express@1.7.15","graphql-playground-middleware-express@1.7.19","graphql-playground-middleware-express@1.7.20","graphql-playground-middleware-express@1.7.21","graphql-playground-middleware-express@1.7.22","graphql-playground-middleware-hapi@1.6.14","graphql-playground-middleware-hapi@1.6.16","graphql-playground-middleware-hapi@1.6.17","graphql-playground-middleware-hapi@1.6.18","graphql-playground-middleware-hapi@1.6.19","graphql-playground-middleware-koa@1.6.16","graphql-playground-middleware-koa@1.6.18","graphql-playground-middleware-koa@1.6.19","graphql-playground-middleware-koa@1.6.20","graphql-playground-middleware-koa@1.6.21","graphql-playground-middleware-lambda@1.7.18","graphql-playground-middleware-lambda@1.7.20","graphql-playground-middleware-lambda@1.7.21","graphql-playground-middleware-lambda@1.7.22","graphql-playground-middleware-lambda@1.7.23","graphql-playground-react@1.7.23","graphql-playground-react@1.7.24","graphql-playground-react@1.7.26","graphql-playground-react@1.7.27","v1.0.1","v1.0.2","v1.0.2-rc.1","v1.1.0","v1.1.1","v1.1.6","v1.2.0","v1.3.0","v1.3.10","v1.3.11","v1.3.12","v1.3.13","v1.3.14","v1.3.15","v1.3.16","v1.3.17","v1.3.18","v1.3.19","v1.3.20","v1.3.21","v1.3.22","v1.3.23","v1.3.24","v1.3.4","v1.3.5","v1.3.6","v1.3.8","v1.3.9","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.5.0","v1.5.0-rc.1","v1.5.0-rc.2","v1.5.0-rc.4","v1.5.0-rc.5","v1.5.1","v1.5.2","v1.5.4","v1.5.5","v1.5.6","v1.5.7","v1.5.8","v1.5.9","v1.6.0","v1.6.1","v1.6.3","v1.7.0","v1.8.0","v1.8.1","v1.8.10","v1.8.2","v1.8.3","v1.8.4","v1.8.5","v1.8.6","v1.8.7","v1.8.8","v1.8.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41249.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}