16 matches found
Graphql-upload-minimal has a prototype pollution vulnerability.
Overview Version 1.6.1 of the Flash Payments package graphql-upload-minimal is vulnerable to prototype pollution. This vulnerability, located in the processRequest function, allows an attacker to inject special property names into the operations.variables object and pollute global object...
Prototype Pollution
Overview graphql-upload-minimal is a Minimalistic and developer friendly middleware and an Upload scalar to add support for GraphQL multipart requests file uploads via queries and mutations to various Node.js GraphQL servers. Affected versions of this package are vulnerable to Prototype Pollution...
@24hr/ettapi (>=0.0.1 <=0.2.5), @dzangolab/fastify-s3 (>=0.48.0 <=0.87.0) +1 more potentially affected by CVE-2025-65587 via graphql-upload-minimal (>=1.5.3 <=1.6.1)
graphql-upload-minimal NPM version =1.5.3, =0.0.1, =0.48.0, =0.88.0, =0.93.4 Source cves: CVE-2025-65587 Source advisory: SNYK:JS-GRAPHQLUPLOADMINIMAL-15682460...
EUVD-2022-33694
Malicious code in bioql PyPI...
CVE-2022-29353
An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename...
GHSA-2P3C-P3QW-69R4 The graphql-upload library included in Apollo Server 2 is vulnerable to CSRF mutations
Impact The graphql-upload npm package can execute GraphQL operations contained in content-type: multipart/form-data POST requests. Because they are POST requests, they can contain GraphQL mutations. Because they use content-type: multipart/form-data, they can be "simple requests" which are not...
The graphql-upload library included in Apollo Server 2 is vulnerable to CSRF mutations
Impact The graphql-upload npm package can execute GraphQL operations contained in content-type: multipart/form-data POST requests. Because they are POST requests, they can contain GraphQL mutations. Because they use content-type: multipart/form-data, they can be "simple requests" which are not...
PT-2022-28174 · Apollo · Apollo Server 2 +1
Name of the Vulnerable Software and Affected Versions: Apollo Server 2 versions prior to 2.25.4 Apollo Server versions that manually integrate with graphql-upload and do not have CSRF prevention enabled Description: The graphql-upload npm package can execute GraphQL operations contained in...
Remote Code Execution (RCE)
graphql-upload is vulnerable to remote code execution. The vulnerability exists due to a lack of sanitization of file name via the upload function...
CVE-2022-29353
An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename...
CVE-2022-29353
An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename...
CVE-2022-29353
An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename...
Design/Logic Flaw
An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename...
CVE-2022-29353
Affected software: Graphql-upload v13.0.0 (Node.js middleware). Vulnerable component: file upload module; root cause: arbitrary file upload via crafted filename enables code execution. Impact: remote code execution with high/critical severity indicators (network vector, no authentication; confide...
CVE-2022-29353
An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename...
Graphql-upload 代码问题漏洞
Graphql-upload is a middleware and upload scalar from the individual developer Jayden Seric in Australia. It is used to add support for GraphQL multi-part requests uploading files via queries and mutations to various Node.js Graphql servers. A security vulnerability exists in Graphql-upload versi...