Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H and UI:R because it requires an untrusted schema plus a downstream bundle/import step; PR:L reflects an authenticated schema-editing position; full C/I/A High from code execution.
Primary rating from Vendor (cisa-cg).
CVSS VectorVendor: cisa-cg
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
remorses/genql before version 6.3.4 allows an authenticated attacker with control of the GraphQL schema that is passed to genql to inject arbitrary JavaScript or TypeScript. The malicious code is injected into the generated schema.ts file and executes when the genql client is bundled and imported.
AnalysisAI
Code injection in remorses/genql (the @genql/cli TypeScript GraphQL client generator) before 6.3.4 lets an actor who controls the GraphQL schema fed to genql smuggle arbitrary TypeScript/JavaScript into the generated schema.ts file, which then executes when a downstream consumer bundles and imports the client. The flaw stems from GraphQL type/field descriptions containing a */ sequence that breaks out of the generated JSDoc comment block. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to control the GraphQL schema (specifically a type or field description) that is passed to genql's generate() function - for example a compromised or typosquatted GraphQL endpoint, or a multi-tenant platform where users can edit type/field descriptions - and the payload must contain a `*/` sequence to break out of the generated JSDoc comment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H, base 7.1) captures the key tension: the impact triad is fully High (effective code execution), but exploitation is gated by real prerequisites - attack requirements are present (AT:P), the attacker needs a privileged/controlling position over the schema (PR:H), and active user interaction is required (UI:A), meaning a developer must actually run generation and then bundle/import the output. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a multi-tenant platform where users can edit GraphQL type or field descriptions, an attacker sets a description containing `*/` followed by malicious TypeScript. When the platform's developer or CI runs genql's generate() against that schema and bundles the resulting client, the injected statements execute in the build/runtime process. … |
| Remediation | Vendor-released patch: upgrade @genql/cli to 6.3.4 or later, which escapes any `*/` in schema-derived text to `*\/` before interpolating it into JSDoc blocks; obtain it from https://github.com/remorses/genql/releases/tag/@genql/cli@6.3.4. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all projects using @genql/cli and identify which versions are currently deployed-focus on build pipelines and CI/CD systems that generate client code. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45031
GHSA-w757-xvvv-vgfw