GMS-2020-279: Authorization Bypass in graphql-shield

September 3, 2020 (updated September 29, 2021)

Versions of graphql-shield are vulnerable to an Authorization Bypass. The rule caching option no_cache relies on keys generated by cryptographically insecure functions, which may cause rules to be incorrectly cached. This allows attackers to access information they should not have access to in case of a key collision.

References

github.com/advisories/GHSA-hx78-272p-mqqh
www.npmjs.com/advisories/1121

Code Behaviors & Features

Detect and mitigate GMS-2020-279 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →