CVE-2020-4038

Name: CVE-2020-4038
Creator: NVD / NIST
Published: 2020-06-08T21:15:09.923+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.4/10EPSS 7.24%

Last modified Jun 17, 2026

CVE-2020-4038 is a high-severity vulnerability rated 7.4/10 on the CVSS scale. GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. EPSS estimates a 7.24% chance of exploitation in the next 30 days.

Description

GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13.

Metrics

CVSS 3.1

7.4/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

EPSS Probability

7.24%

93.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Prisma	Graphql-Playground-Html	< 1.6.22
Prisma	Graphql-Playground-Middleware-Express	< 1.7.16
Prisma	Graphql-Playground-Middleware-Hapi	< 1.6.13
Prisma	Graphql-Playground-Middleware-Koa	< 1.6.15
Prisma	Graphql-Playground-Middleware-Lambda	< 1.7.17

References

https://github.com/prisma-labs/graphql-playground#security-detailsThird Party Advisory
https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7Patch, Third Party Advisory
https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rfMitigation, Third Party Advisory
https://github.com/prisma-labs/graphql-playground#security-detailsThird Party Advisory
https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7Patch, Third Party Advisory
https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rfMitigation, Third Party Advisory

Timeline

Published: Jun 8, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-4038?

How severe is CVE-2020-4038?

CVE-2020-4038 has a CVSS score of 7.4/10 (HIGH severity). The EPSS model estimates a 7.24% probability of exploitation in the next 30 days.

How do I fix CVE-2020-4038?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-4038?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST