Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2.
A malicious client can cause Object.prototype poisoning directly in the gateway through properly crafted GraphQL operations containing field aliases or variable names pointing to prototype-inherited properties. Alternatively, if one of the subgraphs (subgraph) were compromised, an attacker could pollute Object.prototype in the gateway through crafted JSON responses containing keys referencing prototype-inherited properties. The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes).
An attacker can modify global Object.prototype properties in the gateway runtime environment, which depending on context may lead to unauthorized data access, violation of integrity of processed requests, or service destabilization. The scope of breach includes high level of data confidentiality and integrity impact as well as moderate impact on availability, with the vulnerability crossing component boundaries (Scope: Changed).
Apollo Federation should be updated to one of the patched versions: 2.9.6, 2.10.5, 2.11.6, 2.12.3, or 2.13.2. Detailed information is available in the official security advisory from the vendor at the address indicated in the references.
Apollo Federation in versions prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L