Listen to this Post
The vulnerability arises from improper sanitization of keys during query plan execution in the Apollo Federation gateway. When the gateway processes incoming GraphQL operations, it constructs a query plan by extracting keys from field aliases and variable names. Due to incomplete sanitization, a malicious actor can craft an operation using specific keys like __proto__, constructor, or prototype. If a compromised subgraph returns a JSON response containing these keys, or if a client sends them directly via aliases, the gateway fails to neutralize them. During the query plan execution, these keys are merged into JavaScript objects without proper validation. Because JavaScript objects inherit from Object.prototype, setting a property like `__proto__.polluted` directly modifies the global prototype chain. This pollution is persistent across the entire Node.js process, meaning that once the prototype is polluted, all subsequent requests to the gateway instance will inherit the polluted properties. This can lead to unexpected application behavior, Denial of Service (if polluted properties break logic), or privilege escalation if the polluted properties are used in security-sensitive operations like authentication or authorization checks.
dailycve form:
Platform: Apollo Federation
Version: <2.9.6, 2.10.0-2.10.4, 2.11.0-2.11.5, 2.12.0-2.12.2, 2.13.0-2.13.1
Vulnerability: Prototype Pollution
Severity: Critical
Date: 13 Mar 2026
Prediction: Patched versions released
What Undercode Say:
Analytics:
The vulnerability stems from how the `@apollo/gateway` and `@apollo/query-planner` handle dynamic keys during the composition of query plans. The incomplete sanitization allows attacker-controlled data to merge into object properties, targeting the `Object.prototype` chain.
Exploit:
A malicious client can send a crafted GraphQL operation with aliases that represent dangerous prototype keys.
{
<strong>proto</strong>: <strong>typename
}
In a real attack, an alias might be used on a field that returns user-controlled data:
query Pollute($payload: String!) {
vulnerableField(alias: $payload)
}
If the attacker sets the variable `payload` to "__proto__", and the internal logic uses this string as an object key without sanitization, the prototype is polluted. For a compromised subgraph, a malicious JSON response might look like this:
{
"data": {
"product": {
"__proto</strong>": {
"admin": true
}
}
}
}
If the gateway merges this response without proper key validation, it adds `admin: true` to Object.prototype, potentially granting admin access to subsequent requests.
Protection from this CVE:
- Immediate Upgrade: Update the following packages to the patched versions:
@apollo/federation-internals,@apollo/gateway, `@apollo/query-planner` to2.9.6,2.10.5,2.11.6,2.12.3, or2.13.2.npm install @apollo/[email protected]
- Input Validation (Workaround): Implement a middleware that rejects operations containing specific blocked strings in aliases or variables.
// Express middleware example app.use('/graphql', (req, res, next) => { const body = req.body; if (body && body.query) { const dangerousKeys = ['<strong>proto</strong>', 'constructor', 'prototype']; const queryString = JSON.stringify(body.query); if (dangerousKeys.some(key => queryString.includes(key))) { return res.status(400).json({ error: 'Invalid input pattern detected.' }); } } next(); }); - Subgraph Trust: Ensure all subgraphs in the federated graph originate from trusted and secure sources.
Impact:
Successful exploitation pollutes the global Object.prototype, affecting all subsequent requests in the Node.js process. This can lead to Denial of Service (application crashes), Authentication Bypass (if polluted properties like `admin` are checked), and Data Integrity issues where default object behaviors are altered.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

