GHSA-5c7w-4wm3-85vwMediumDisclosed before NVD

@asymmetric-effort/specifyjs: GraphQL gql tag allows metacharacter injection

Published
July 2, 2026
Last Modified
July 2, 2026

📋 Description

Finding

Location: core/src/client/graphql.ts:66-80

The gql template tag function warned about interpolated values containing GraphQL metacharacters ({}():) but still concatenated them into the query string, enabling potential GraphQL injection.

Status

Fixed in v0.2.136 — The gql function now throws an error when metacharacters are detected in interpolated values, forcing developers to use the variables parameter.

🎯 Affected products1

  • npm/@asymmetric-effort/specifyjs:< 0.2.136

🔗 References (3)