@apollo/composition 2.12.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @apollo/composition package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Incorrect Authorization @apollo/composition is an Apollo Federation composition utilities Affected versions of this package are vulnerable to Incorrect Authorization via the composition logic, which failed to validate that fields have the same access control requirements as the data they reference. An attacker can retrieve sensitive information by crafting queries that access protected fields indirectly through dependencies defined with `@requires` or `@fromContext` directives, thereby bypassing intended access control checks. Note: This vulnerability only affects users of Apollo Router access control features (`@authenticated`, `@requiresScopes`, or `@policy directives`) that utilize `@requires` or `@fromContext` directives in combination with field-level access control. How to fix Incorrect Authorization? Upgrade `@apollo/composition` to version 2.9.5, 2.10.4, 2.11.5-preview.0, 2.12.1 or higher.	<2.9.5>=2.10.0-alpha.0 <2.10.4>=2.11.0-preview.0 <2.11.5-preview.0>=2.12.0-preview.0 <2.12.1
H Authentication Bypass Using an Alternate Path or Channel @apollo/composition is an Apollo Federation composition utilities Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel. An attacker can gain unauthorized access to restricted interface types or fields by crafting queries that target implementing object types or fields through inline fragments, thereby bypassing intended access controls. How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `@apollo/composition` to version 2.9.5, 2.10.4, 2.11.5, 2.12.1 or higher.	<2.9.5>=2.10.0-alpha.0 <2.10.4>=2.11.0-preview.0 <2.11.5>=2.12.0-preview.0 <2.12.1

Vulnerability

Vulnerable Version

Incorrect Authorization

@apollo/composition is an Apollo Federation composition utilities

Affected versions of this package are vulnerable to Incorrect Authorization via the composition logic, which failed to validate that fields have the same access control requirements as the data they reference. An attacker can retrieve sensitive information by crafting queries that access protected fields indirectly through dependencies defined with @requires or @fromContext directives, thereby bypassing intended access control checks.

Note: This vulnerability only affects users of Apollo Router access control features (@authenticated, @requiresScopes, or @policy directives) that utilize @requires or @fromContext directives in combination with field-level access control.

How to fix Incorrect Authorization?

Upgrade @apollo/composition to version 2.9.5, 2.10.4, 2.11.5-preview.0, 2.12.1 or higher.

<2.9.5>=2.10.0-alpha.0 <2.10.4>=2.11.0-preview.0 <2.11.5-preview.0>=2.12.0-preview.0 <2.12.1

Authentication Bypass Using an Alternate Path or Channel

@apollo/composition is an Apollo Federation composition utilities

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel. An attacker can gain unauthorized access to restricted interface types or fields by crafting queries that target implementing object types or fields through inline fragments, thereby bypassing intended access controls.

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade @apollo/composition to version 2.9.5, 2.10.4, 2.11.5, 2.12.1 or higher.

<2.9.5>=2.10.0-alpha.0 <2.10.4>=2.11.0-preview.0 <2.11.5>=2.12.0-preview.0 <2.12.1

@apollo/composition@2.12.0 vulnerabilities

Apollo Federation composition utilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically