CVE-2026-63397 in genql
Summary
by MITRE • 07/16/2026
remorses/genql before version 6.3.4 allows an authenticated attacker with control of the GraphQL schema that is passed to genql to inject arbitrary JavaScript or TypeScript. The malicious code is injected into the generated schema.ts file and executes when the genql client is bundled and imported.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in remorses/genql prior to version 6.3.4 represents a critical server-side template injection flaw that enables authenticated attackers to execute arbitrary code through malicious GraphQL schema manipulation. This issue stems from inadequate input sanitization during the schema processing phase where user-controlled schema definitions are directly incorporated into generated TypeScript files without proper validation or escaping mechanisms. The vulnerability operates at the intersection of code generation and schema parsing, creating a dangerous attack vector where legitimate schema modifications can be weaponized to inject malicious JavaScript or TypeScript code.
The technical exploitation occurs when an authenticated attacker with access to modify GraphQL schemas passes specially crafted schema definitions that contain executable code snippets. These malicious inputs are then processed by the genql library and embedded directly into the generated schema.ts file through a template-based code generation approach. The injected code executes during the bundling and import phases of the genql client, effectively allowing attackers to execute arbitrary JavaScript or TypeScript in the context of the application that consumes the generated client code. This represents a classic case of insecure template processing where dynamic content is not properly sanitized before being incorporated into executable code.
The operational impact of this vulnerability extends beyond simple code injection, as it can lead to complete compromise of applications using vulnerable versions of genql. Attackers can leverage this flaw to execute arbitrary commands, access sensitive data, perform unauthorized operations against backend systems, or establish persistence mechanisms within the application environment. The vulnerability affects any system where genql is used to generate client-side code from GraphQL schemas, particularly in environments where schema modifications are not strictly controlled or validated. This creates a significant risk for applications that rely on dynamic schema generation and automated code generation workflows.
Mitigation strategies should focus on implementing strict input validation and sanitization mechanisms within the schema processing pipeline to prevent malicious code injection. Organizations should upgrade to version 6.3.4 or later where proper sanitization has been implemented to address this vulnerability. Additionally, access controls should be strengthened to limit who can modify GraphQL schemas, and automated code generation processes should include security scanning of generated artifacts before deployment. The vulnerability aligns with CWE-94 (Improper Control of Generation of Code) and can be categorized under ATT&CK technique T1059.007 (Command and Scripting Interpreter: PowerShell), as the injected code executes within the JavaScript runtime environment. Regular security audits of code generation pipelines and schema validation processes are essential to prevent similar vulnerabilities in other libraries or applications that perform dynamic code generation based on user input.