Prototype Pollution in @apollo/gateway

GHSA-74cr-77xc-8g6r

Published Jun 13, 2019 · Modified Aug 16, 2021

Description

Versions of @apollo/gateway prior to 0.6.2 are vulnerable to Prototype Pollution. The package uses deepMerge() to merge objects, which may allow attackers to alter the Object prototype through queries with GraphQL aliases. Carefully constructed payloads can override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution.

Recommendation

Upgrade to version 0.6.2 or later.

References

WEB https://github.com/apollographql/apollo-server/pull/2779
WEB https://github.com/apollographql/apollo-server/commit/cea7397582a293af6a5f60947da34b95e669c6c1
WEB https://snyk.io/vuln/SNYK-JS-APOLLOGATEWAY-174915
WEB https://www.npmjs.com/advisories/917

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes