Spring for GraphQL applications are at risk of Cross-Site WebSocket Hijacking, which may allow unauthorized parties to intercept or interact with WebSocket sessions.

The application fails to properly validate the origin of WebSocket upgrade requests, allowing an attacker to perform Cross-Site WebSocket Hijacking. This requires the application to have the WebSocket transport functionality enabled.

The CVSS score of 8.1 (High) indicates a significant risk of unauthorized interaction with user sessions. Exploitation could lead to the theft of sensitive session data or the execution of unauthorized actions within the context of an authenticated user's session, resulting in a potential compromise of application integrity.

Immediate Action: Update to the latest version of Spring for GraphQL as soon as a security patch is released by the vendor.

Proactive Monitoring: Monitor WebSocket traffic logs for connections originating from unexpected or suspicious domains.

Compensating Controls: Configure strict CORS (Cross-Origin Resource Sharing) policies and origin validation on the WebSocket endpoint to ensure only authorized clients can establish connections.

Public Exploit Available: false

Security teams should immediately audit their Spring for GraphQL implementations to determine if WebSocket transport is enabled. Until a patch is available, enforcing strict origin checks is essential to prevent unauthorized session hijacking.