CVE-2025-59845

Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass

Description

Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies. This issue has been patched in Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3.

INFO

Published Date :

2025-09-26T22:38:57.350Z

Last Modified :

2025-09-29T15:02:04.057Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-59845 vulnerability.

Vendors	Products
Apollographql	Apollo Explorer Apollo Sandbox

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59845.

URL	Resource
https://github.com/apollographql/embeddable-explorer/security/advisories/GHSA-w87v-7w53-wwxv

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact