Security Notification
A Path Traversal security vulnerability has been recently discovered within the GraphQL Engine.
What we have done
We have patched versions 1.3, 2.11, 2.20, and 2.21-beta.
What action do I need to take?
Hasura Cloud Projects: Projects running on Hasura Cloud were not vulnerable. No further action is needed unless you also self-host Hasura (see below).
Self-hosted Hasura Projects (Community Edition or Enterprise Edition): If your deployment is publicly exposed and not protected by a WAF or other HTTP protection layer, you need to update immediately to one of the fixed versions.
Public disclosure update
We are issuing a security advisory to the larger user community. A detailed public disclosure of this vulnerability is scheduled for 3/27/2023 to allow all users enough time to mitigate the issue.
If you have any questions or concerns, please do reach out to us at sup...@hasura.io.
Thank you,
The Hasura Cloud Team