Critical vulnerability impacting Hasura GraphQL Engine v2.10.0 onwards

[Shahidh K Muhammed]

Hello folks,

A critical vulnerability has been discovered on Hasura GraphQL Engine v2.10.0 and later. It impacts Community, Enterprise and Cloud Editions. Hasura Cloud has already been patched and is no longer vulnerable.

We urge all users to upgrade to the following patched versions immediately.

Community Edition

Affected versions	Patched version
v2.15.1, v2.15.0	v2.15.2
v2.14.0	v2.14.1
v2.13.1, v2.13.0	v2.13.2
v2.12.0	v2.12.1
v2.11.2, v2.11.1, v2.11.0	v2.11.3
v2.10.1, v2.10.0	v2.10.2

Enterprise Edition

Affected versions	Patched version
v2.15.1, v2.15.0	v2.15.2
v2.14.0	v2.14.1
v2.13.1, v2.13.0	v2.13.2
v2.12.0	v2.12.1
v2.11.2-pro.1, v2.11.1-pro.1, v2.11.0-pro.1	v2.11.3-pro.1
v2.10.1-pro.1, v2.10.0-pro.1	v2.10.2-pro.1

*Note: Starting with v2.12.0, Community and Enterprise editions are the same

Hasura Cloud has already been patched. No action is required from customers.

More details about the vulnerability will be shared on Dec 7th 2022 to give users enough time to update their deployments. If you have any questions or comments about this advisory reach out to us on sup...@hasura.io.

-- Hasura Security Team

[Timothy Cline]

Hello folks,

As promised, a detailed announcement has been crafted and released.  You can read it here: https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/ .  Please reach out to sup...@hasura.io if you have any questions or comments.

As a reminder, Hasura Cloud has already been patched and no action is needed for anything hosted through Hasura Cloud.  Any vulnerable self hosted Hasura instances should be updated per the table in the previous announcement.

Thank you,

- Hasura Security Team