While working in ever-gauzy project, I found that the application uses @apollo/federation-internals, which is affected by a prototype pollution vulnerability (CVE-2026-32621). The issue occurs in the Apollo Federation gateway query plan execution, where malicious GraphQL operations (e.g., crafted field aliases or variable names like proto, constructor, or prototype) may pollute Object.prototype.
CVE Link
CVE Report
While working in ever-gauzy project, I found that the application uses @apollo/federation-internals, which is affected by a prototype pollution vulnerability (CVE-2026-32621). The issue occurs in the Apollo Federation gateway query plan execution, where malicious GraphQL operations (e.g., crafted field aliases or variable names like proto, constructor, or prototype) may pollute Object.prototype.
CVE Link
CVE Report