R3Dbrothers

**Name of the Vulnerable Software and Affected Versions** Apollo Federation versions prior to 2.9.6 Apollo Federation versions prior to 2.10.5 Apollo Federation versions prior to 2.11.6 Apollo Federation versions prior to 2.12.3 Apollo Federation versions prior to 2.13.2 **Description** Apollo Federation is an architecture for composing APIs into a unified graph. A flaw exists in query plan execution within the gateway that can allow pollution of `Object.prototype` in certain scenarios. A malicious client may be able to pollute `Object.prototype` directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph is compromised, a malicious actor may be able to pollute `Object.prototype` by crafting JSON response payloads that target prototype-inheritable properties. Because `Object.prototype` is shared across the Node.js process, successful exploitation can affect subsequent requests to the gateway instance, potentially resulting in unexpected application behavior, privilege escalation, or data integrity issues. As of the date of this advisory, there are no reported exploitations of this issue. **Recommendations** Upgrade to Apollo Federation version 2.9.6 or later. Upgrade to Apollo Federation version 2.10.5 or later. Upgrade to Apollo Federation version 2.11.6 or later. Upgrade to Apollo Federation version 2.12.3 or later. Upgrade to Apollo Federation version 2.13.2 or later.

**Name of the Vulnerable Software and Affected Versions** Payload versions prior to 3.75.0 **Description** Payload is a free and open source headless content management system. A Server-Side Request Forgery (SSRF) issue exists in the external file upload functionality. Insufficient validation of HTTP redirects when processing external URLs for file uploads could allow an authenticated attacker to access internal network resources. The Payload environment must have at least one collection with `upload` enabled and a user who has `create` access to that upload-enabled collection to be vulnerable. An authenticated user with upload collection write permissions could potentially access internal services and retrieve response content from them through the application. **Recommendations** Upgrade to version 3.75.0 or later. As a workaround, disable external file uploads via the `disableExternalFile` upload collection option. As a workaround, restrict `create` access on upload-enabled collections to trusted users only.

**Name of the Vulnerable Software and Affected Versions** LangChain versions prior to 1.1.18 @langchain/community versions prior to 1.1.18 **Description** A redirect-based Server-Side Request Forgery (SSRF) bypass exists in the `RecursiveUrlLoader` within the `@langchain/community` package. The loader initially validates the URL, but the underlying fetch mechanism automatically follows redirects without revalidation. This allows a transition from a safe public URL to an internal or metadata endpoint, bypassing existing SSRF protections. An attacker who can influence the content of a crawled page can cause the crawler to fetch cloud instance metadata, access internal services on private networks, connect to localhost services, or exfiltrate response data. The `preventOutside` option is insufficient to prevent this bypass when redirects are followed automatically. The issue stems from the fact that SSRF validation is only performed on the initial URL and redirects are followed automatically by the fetch function without additional validation. **Recommendations** Upgrade to `@langchain/community` version 1.1.18 or later, which disables automatic redirects and re-validates `Location` targets before following them.