GHSA-5c7w-4wm3-85vwMediumDisclosed before NVD
@asymmetric-effort/specifyjs: GraphQL gql tag allows metacharacter injection
📋 Description
Finding
Location: core/src/client/graphql.ts:66-80
The gql template tag function warned about interpolated values containing GraphQL metacharacters ({}():) but still concatenated them into the query string, enabling potential GraphQL injection.
Status
Fixed in v0.2.136 — The gql function now throws an error when metacharacters are detected in interpolated values, forcing developers to use the variables parameter.
🎯 Affected products1
- npm/@asymmetric-effort/specifyjs:< 0.2.136