Prototype Pollution in @apollo/gateway

Versions of @apollo/gateway prior to 0.6.2 are vulnerable to Prototype Pollution. The package uses deepMerge() to merge objects, which may allow attackers to alter the Object prototype through queries with GraphQL aliases. Carefully constructed payloads can override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution.

Recommendation

Upgrade to version 0.6.2 or later.

Published: Jun 13, 2019
Updated: Apr 14, 2023
GHSA: GHSA-74cr-77xc-8g6r
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWEs:

CWE-400
CWE-1321

Affected Software
References

Software	From	Fixed in
@apollo / gateway	-	0.6.2

https://github.com/apollographql/apollo-server/commit/cea7397582a293af6a5f60947da34b95e669c6c1
https://github.com/apollographql/apollo-server/pull/2779
https://snyk.io/vuln/SNYK-JS-APOLLOGATEWAY-174915
https://www.npmjs.com/advisories/917

Vulnerability Database

289,599

Prototype Pollution in @apollo/gateway

Recommendation