Skip to content

[Security] Vulnerability in ever-gauzy project #9615

Description

@ankitdn

While working in ever-gauzy project, I found that the application uses @apollo/federation-internals, which is affected by a prototype pollution vulnerability (CVE-2026-32621). The issue occurs in the Apollo Federation gateway query plan execution, where malicious GraphQL operations (e.g., crafted field aliases or variable names like proto, constructor, or prototype) may pollute Object.prototype.

CVE Link
CVE Report

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions