Genql
Monthly
Code injection in remorses/genql (the @genql/cli TypeScript GraphQL client generator) before 6.3.4 lets an actor who controls the GraphQL schema fed to genql smuggle arbitrary TypeScript/JavaScript into the generated schema.ts file, which then executes when a downstream consumer bundles and imports the client. The flaw stems from GraphQL type/field descriptions containing a `*/` sequence that breaks out of the generated JSDoc comment block. There is no public exploit identified at time of analysis and it is not in CISA KEV; the issue was responsibly disclosed (issue #197) and reported by CISA (cisa-cg), with a vendor patch in 6.3.4.
Code injection in remorses/genql (the @genql/cli TypeScript GraphQL client generator) before 6.3.4 lets an actor who controls the GraphQL schema fed to genql smuggle arbitrary TypeScript/JavaScript into the generated schema.ts file, which then executes when a downstream consumer bundles and imports the client. The flaw stems from GraphQL type/field descriptions containing a `*/` sequence that breaks out of the generated JSDoc comment block. There is no public exploit identified at time of analysis and it is not in CISA KEV; the issue was responsibly disclosed (issue #197) and reported by CISA (cisa-cg), with a vendor patch in 6.3.4.