{"url":"http://public2.vulnerablecode.io/api/packages/237973?format=json","purl":"pkg:npm/%40apollo/gateway@0.6.0","type":"npm","namespace":"@apollo","name":"gateway","version":"0.6.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.9.6","latest_non_vulnerable_version":"2.13.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91564?format=json","vulnerability_id":"VCID-5jm7-aj44-p3dq","summary":"Apollo Federation vulnerable to prototype pollution via incomplete key sanitization\n### Impact\n\nA vulnerability exists in query plan execution within the gateway that may allow pollution of `Object.prototype` in certain scenarios. A malicious client may be able to pollute `Object.prototype` in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute `Object.prototype` in gateway by crafting JSON response payloads that target prototype-inheritable properties.\n\nBecause `Object.prototype` is shared across the Node.js process, successful exploitation can affect subsequent requests to the gateway instance. This may result in unexpected application behavior, privilege escalation, data integrity issues, or other security impact depending on how polluted properties are subsequently consumed by the application or its dependencies. As of the date of this advisory, Apollo is not aware of any reported exploitation of this vulnerability.\n\n### Patches\nMitigations addressing prototype pollution exposure have been applied in `@apollo/federation-internals`, `@apollo/gateway`, and `@apollo/query-planner` versions `2.9.6`, `2.10.5`, `2.11.6`, `2.12.3`, and `2.13.2`.   Users are encouraged to upgrade to these versions or later at their earliest convenience.\n\n### Workarounds\nA fully effective workaround is not available without a code change. As an interim measure, users who are unable to upgrade immediately may consider placing an input validation layer in front of the gateway to filter operations containing [GraphQL names](https://spec.graphql.org/September2025/#sec-Names) matching known `Object.prototype` pollution patterns (e.g., `__proto__`, `constructor`, `prototype`). Users should also ensure that subgraphs in their federated graph originate from trusted sources.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32621","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13439","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13528","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13534","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13493","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13407","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32621"},{"reference_url":"https://github.com/apollographql/federation","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/federation"},{"reference_url":"https://github.com/apollographql/federation/security/advisories/GHSA-pfjj-6f4p-rvmh","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-16T20:14:28Z/"}],"url":"https://github.com/apollographql/federation/security/advisories/GHSA-pfjj-6f4p-rvmh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32621","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32621"},{"reference_url":"https://github.com/advisories/GHSA-pfjj-6f4p-rvmh","reference_id":"GHSA-pfjj-6f4p-rvmh","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pfjj-6f4p-rvmh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113843?format=json","purl":"pkg:npm/%40apollo/gateway@2.9.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@2.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/813298?format=json","purl":"pkg:npm/%40apollo/gateway@2.10.0-alpha.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8g2d-fdgc-xuea"},{"vulnerability":"VCID-u25m-5v8r-vqfa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@2.10.0-alpha.0"},{"url":"http://public2.vulnerablecode.io/api/packages/113844?format=json","purl":"pkg:npm/%40apollo/gateway@2.10.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@2.10.5"},{"url":"http://public2.vulnerablecode.io/api/packages/813304?format=json","purl":"pkg:npm/%40apollo/gateway@2.11.0-preview.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@2.11.0-preview.0"},{"url":"http://public2.vulnerablecode.io/api/packages/113845?format=json","purl":"pkg:npm/%40apollo/gateway@2.11.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@2.11.6"},{"url":"http://public2.vulnerablecode.io/api/packages/984342?format=json","purl":"pkg:npm/%40apollo/gateway@2.12.0-preview.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@2.12.0-preview.0"},{"url":"http://public2.vulnerablecode.io/api/packages/113846?format=json","purl":"pkg:npm/%40apollo/gateway@2.12.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@2.12.3"},{"url":"http://public2.vulnerablecode.io/api/packages/984346?format=json","purl":"pkg:npm/%40apollo/gateway@2.13.0-preview.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@2.13.0-preview.0"},{"url":"http://public2.vulnerablecode.io/api/packages/113847?format=json","purl":"pkg:npm/%40apollo/gateway@2.13.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@2.13.2"}],"aliases":["CVE-2026-32621","GHSA-pfjj-6f4p-rvmh"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5jm7-aj44-p3dq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57081?format=json","vulnerability_id":"VCID-8g2d-fdgc-xuea","summary":"Duplicate\nThis advisory duplicates another.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32031","reference_id":"","reference_type":"","scores":[{"value":"0.00417","scoring_system":"epss","scoring_elements":"0.62134","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00417","scoring_system":"epss","scoring_elements":"0.62132","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00417","scoring_system":"epss","scoring_elements":"0.62115","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00417","scoring_system":"epss","scoring_elements":"0.6213","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00417","scoring_system":"epss","scoring_elements":"0.62142","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32031"},{"reference_url":"https://github.com/apollographql/federation","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/federation"},{"reference_url":"https://github.com/apollographql/federation/pull/3236","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T14:39:08Z/"}],"url":"https://github.com/apollographql/federation/pull/3236"},{"reference_url":"https://github.com/apollographql/federation/releases/tag/%40apollo%2Fgateway%402.10.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T14:39:08Z/"}],"url":"https://github.com/apollographql/federation/releases/tag/%40apollo%2Fgateway%402.10.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32031","reference_id":"CVE-2025-32031","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32031"},{"reference_url":"https://github.com/advisories/GHSA-p2q6-pwh5-m6jr","reference_id":"GHSA-p2q6-pwh5-m6jr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p2q6-pwh5-m6jr"},{"reference_url":"https://github.com/apollographql/federation/security/advisories/GHSA-p2q6-pwh5-m6jr","reference_id":"GHSA-p2q6-pwh5-m6jr","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T14:39:08Z/"}],"url":"https://github.com/apollographql/federation/security/advisories/GHSA-p2q6-pwh5-m6jr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84754?format=json","purl":"pkg:npm/%40apollo/gateway@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5jm7-aj44-p3dq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@2.10.1"},{"url":"http://public2.vulnerablecode.io/api/packages/813304?format=json","purl":"pkg:npm/%40apollo/gateway@2.11.0-preview.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@2.11.0-preview.0"}],"aliases":["CVE-2025-32031","GHSA-p2q6-pwh5-m6jr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8g2d-fdgc-xuea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41093?format=json","vulnerability_id":"VCID-kvxt-zu1f-53a1","summary":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @apollo/gateway.","references":[{"reference_url":"https://github.com/apollographql/apollo-server/commit/cea7397582a293af6a5f60947da34b95e669c6c1","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/apollo-server/commit/cea7397582a293af6a5f60947da34b95e669c6c1"},{"reference_url":"https://github.com/apollographql/apollo-server/pull/2779","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/apollo-server/pull/2779"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-APOLLOGATEWAY-174915","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-APOLLOGATEWAY-174915"},{"reference_url":"https://www.npmjs.com/advisories/917","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/917"},{"reference_url":"https://github.com/advisories/GHSA-74cr-77xc-8g6r","reference_id":"GHSA-74cr-77xc-8g6r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-74cr-77xc-8g6r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58226?format=json","purl":"pkg:npm/%40apollo/gateway@0.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5jm7-aj44-p3dq"},{"vulnerability":"VCID-8g2d-fdgc-xuea"},{"vulnerability":"VCID-u25m-5v8r-vqfa"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@0.6.2"}],"aliases":["GHSA-74cr-77xc-8g6r","GMS-2019-8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kvxt-zu1f-53a1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57090?format=json","vulnerability_id":"VCID-u25m-5v8r-vqfa","summary":"Duplicate\nThis advisory duplicates another.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32030","reference_id":"","reference_type":"","scores":[{"value":"0.00628","scoring_system":"epss","scoring_elements":"0.70673","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00628","scoring_system":"epss","scoring_elements":"0.70674","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00628","scoring_system":"epss","scoring_elements":"0.70652","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00628","scoring_system":"epss","scoring_elements":"0.70664","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00628","scoring_system":"epss","scoring_elements":"0.70681","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32030"},{"reference_url":"https://github.com/apollographql/federation","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apollographql/federation"},{"reference_url":"https://github.com/apollographql/federation/pull/3236","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:13:48Z/"}],"url":"https://github.com/apollographql/federation/pull/3236"},{"reference_url":"https://github.com/apollographql/federation/releases/tag/%40apollo%2Fgateway%402.10.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:13:48Z/"}],"url":"https://github.com/apollographql/federation/releases/tag/%40apollo%2Fgateway%402.10.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32030","reference_id":"CVE-2025-32030","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32030"},{"reference_url":"https://github.com/advisories/GHSA-q2f9-x4p4-7xmh","reference_id":"GHSA-q2f9-x4p4-7xmh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q2f9-x4p4-7xmh"},{"reference_url":"https://github.com/apollographql/federation/security/advisories/GHSA-q2f9-x4p4-7xmh","reference_id":"GHSA-q2f9-x4p4-7xmh","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:13:48Z/"}],"url":"https://github.com/apollographql/federation/security/advisories/GHSA-q2f9-x4p4-7xmh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84754?format=json","purl":"pkg:npm/%40apollo/gateway@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5jm7-aj44-p3dq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@2.10.1"},{"url":"http://public2.vulnerablecode.io/api/packages/813304?format=json","purl":"pkg:npm/%40apollo/gateway@2.11.0-preview.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@2.11.0-preview.0"}],"aliases":["CVE-2025-32030","GHSA-q2f9-x4p4-7xmh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u25m-5v8r-vqfa"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540apollo/gateway@0.6.0"}