GHSA-m8jr-fxqx-8xx6: Apollo Federation has Improper Enforcement of Access Control on Transitive Fields
A vulnerability in Apollo Federation’s composition logic did not enforce that fields depending on protected data through @requires and/or @fromContext directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields indirectly through their dependencies, bypassing access control checks. A fix to composition logic in Federation now enforces that dependent fields match the access control requirements from of the fields they reference.
References
- github.com/advisories/GHSA-m8jr-fxqx-8xx6
- github.com/apollographql/federation
- github.com/apollographql/federation/commit/09e596e6a0c753071ca822e84f525d73ada395cf
- github.com/apollographql/federation/commit/0d8fca1c8cc375bb8486f11f339984b69267417d
- github.com/apollographql/federation/commit/20c75d1d60a48fc289d88c8d29652f1afc7553e4
- github.com/apollographql/federation/commit/e1c58611c3c996b4fff98a54e49f00549ff2115d
- github.com/apollographql/federation/security/advisories/GHSA-m8jr-fxqx-8xx6
Code Behaviors & Features
Detect and mitigate GHSA-m8jr-fxqx-8xx6 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →