Critical security vulnerability that affects v1.2.0-beta.5 and v1.2.0

[Hasura Security Announcements]

Hello folks,

A few hours ago, we discovered a critical security vulnerability that affects the v1.2.0-beta.5 and v1.2.0 versions. v1.2.1 is the new release you should upgrade to immediately if you are running either of the two versions above.

We have also updated the docker images for v1.2 and in case your CI systems pull the latest docker images, this vulnerability will be fixed automatically.

We will be releasing further details and making a public announcement in a few hours. Please upgrade your systems immediately and please do keep this information confidential in the meantime as Hasura users are able to upgrade their systems.

If you face any issues or need any help, please feel to reach out to us here or via email sup...@hasura.io or via our website intercom chat widget on intercom (hasura.io).

[Shahidh K Muhammed]

Hello all,

We have published more details about the bug here: https://github.com/hasura/graphql-engine/security/advisories/GHSA-j622-hw7j-c72x

We are taking several steps to ensure that such an incident doesn't happen again. Such as,

1. Flesh out the E2E test suite with more negative tests for authentication
2. Refactor the auth subsystem to make it more self-contained and harder to misuse within the codebase.
3. Add property-based/fuzz testing for the auth subsystem
4. Engaging with the Hasura & security community via a bug-bounty program

These are the immediate action items.