chore(deps): update dependency @apollo/gateway to v2.11.6 [security]#8193
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency @apollo/gateway to v2.11.6 [security]#8193renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
added
the
🎄 dependencies
✅ Docs preview has no changesThe preview was not built because there were no changes. Build ID: 214c4d57816c88f98fb92a8d ✅ AI Style Review — No Changes DetectedNo MDX files were changed in this pull request. Review Log: View detailed log
|
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. |
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-apollo-gateway-vulnerability
branch
2 times, most recently
from
c7e4a0b to
1885974
Compare
renovate
Bot
force-pushed
the
renovate/npm-apollo-gateway-vulnerability
branch
from
1885974 to
9942062
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-apollo-gateway-vulnerability
branch
6 times, most recently
from
bbc35d0 to
cf4a106
Compare
renovate
Bot
force-pushed
the
renovate/npm-apollo-gateway-vulnerability
branch
2 times, most recently
from
73efa82 to
4478809
Compare
renovate
Bot
force-pushed
the
renovate/npm-apollo-gateway-vulnerability
branch
from
4478809 to
a3f6602
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.11.2→2.11.6Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
CVE-2026-32621 / GHSA-pfjj-6f4p-rvmh
More information
Details
Impact
A vulnerability exists in query plan execution within the gateway that may allow pollution of
Object.prototypein certain scenarios. A malicious client may be able to polluteObject.prototypein gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to polluteObject.prototypein gateway by crafting JSON response payloads that target prototype-inheritable properties.Because
Object.prototypeis shared across the Node.js process, successful exploitation can affect subsequent requests to the gateway instance. This may result in unexpected application behavior, privilege escalation, data integrity issues, or other security impact depending on how polluted properties are subsequently consumed by the application or its dependencies. As of the date of this advisory, Apollo is not aware of any reported exploitation of this vulnerability.Patches
Mitigations addressing prototype pollution exposure have been applied in
@apollo/federation-internals,@apollo/gateway, and@apollo/query-plannerversions2.9.6,2.10.5,2.11.6,2.12.3, and2.13.2. Users are encouraged to upgrade to these versions or later at their earliest convenience.Workarounds
A fully effective workaround is not available without a code change. As an interim measure, users who are unable to upgrade immediately may consider placing an input validation layer in front of the gateway to filter operations containing GraphQL names matching known
Object.prototypepollution patterns (e.g.,__proto__,constructor,prototype). Users should also ensure that subgraphs in their federated graph originate from trusted sources.Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
apollographql/federation (@apollo/gateway)
v2.11.6Compare Source
Patch Changes
Fixed several code paths that access response objects to prevent JavaScript prototype pollution and unintended access to the prototype chain. (#3398)
See the associated GitHub Advisories GHSA-pfjj-6f4p-rvmh for more information.
Updated dependencies [
73ae202f72a31b9f63e779c535d7ecb059ff908a]:v2.11.5Compare Source
Patch Changes
5ee4d966487e714ae6bc6445bf53d75ccbbaf6ae,e1c58611c3c996b4fff98a54e49f00549ff2115d,3e2d1fd315db54a089fedf131cfaa27792bdd049]:v2.11.4Compare Source
Patch Changes
d221ac04c3ee00a3c7a671d9d56e2cfa36943b49,7730c03e128be6754b9e40c086d5cb5c4685ac66,4bda3a498eba36e187dfd9ae673eca12d3f3502c,f3ab499eaf62b1a1c0f08b838d2cbde5accb303a,6adbf7e86927de969aedab665b6a3a8dbf3a6095,2a20dc38dfc40e0b618d5cc826f18a19ddb91aff]:v2.11.3Compare Source
Patch Changes
4faa114215200daf7ad7518be8e50071fcde783c,8c7a2cd655ad3060e9f5c3b106cfbdb59251701c]:Configuration
📅 Schedule: (in timezone America/Los_Angeles)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.