GraphQL – Moderately critical – Cross Site Request Forgery – SA-CONTRIB-2023-051

Drupal Security Advisory

Cross Site Request Forgery
Affected versions: 
<3.4.0 || >=4.0.0 <4.6.0

The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates (create, update, delete) through mutations.

The module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. In case a user visits a malicious site, that site may make requests on the users behalf which can lead to the execution of mutations, exposing a CSRF vulnerability. Whether data is returned to the malicious site depends on your sites CORS configuration.

This vulnerability is mitigated by the fact that a user with access to the API must have an active session cookie while visiting a malicious site. This vulnerability is also mitigated by restricting session cookies with the SameSite attribute (see solution below).


Install the latest version:

This vulnerability can also be mitigated by setting the SameSite attribute on session cookies to Lax (recommended) or Strict. This might not be suitable for sites that need to share the Drupal session cookie in some way with other sites. Set the following in your site’s services.yml file:

    # Session cookies are only used for backend admin accounts, so we restrict
    # the cookies to be used only from the backend origin. We don't use "Strict"
    # because that also removes cookies whenever an admin navigates from an
    # email or chat app, which is inconvenient. See
    cookie_samesite: Lax
Reported By: 
Fixed By: 
Coordinated By: