VDB
KO
MEDIUM

GHSA-5c7w-4wm3-85vw

@asymmetric-effort/specifyjs: GraphQL gql tag allows metacharacter injection

Details

## Finding

**Location**: `core/src/client/graphql.ts:66-80`

The `gql` template tag function warned about interpolated values containing GraphQL metacharacters (`{}():`) but still concatenated them into the query string, enabling potential GraphQL injection.

## Status

**Fixed in v0.2.136** — The `gql` function now throws an error when metacharacters are detected in interpolated values, forcing developers to use the `variables` parameter.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @asymmetric-effort/specifyjs
Introduced in: 0 Fixed in: 0.2.136
Fix npm install @asymmetric-effort/specifyjs@0.2.136

References