DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-H3HW-29FV-2X75: Context Bleeding: When GraphQL Requests Swap Identities in Envelop

#security #cve #cybersecurity #ghsa

Context Bleeding: When GraphQL Requests Swap Identities in Envelop

Vulnerability ID: GHSA-H3HW-29FV-2X75
CVSS Score: 8.7
Published: 2026-01-21

A critical race condition in the @envelop/graphql-modules plugin allowed execution contexts to bleed across concurrent requests. This flaw meant that under load, one user's authentication token or session data could potentially be accessed by another user's operation.

TL;DR

The @envelop/graphql-modules plugin failed to properly isolate request contexts during asynchronous operations. By manually managing the OperationController lifecycle instead of using the framework's execution wrappers, the plugin introduced a race condition. If two requests occurred simultaneously, the second request could overwrite the context of the first, leading to severe data leakage and potential account takeovers.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Race Condition / Context Bleeding
  • Severity: High (Data Leakage / Auth Bypass)
  • Affected Component: @envelop/graphql-modules
  • Attack Vector: Network (Concurrent Requests)
  • CVSS Estimate: 8.7 (High)
  • Fix Commit: ab49fa25...

Affected Systems

  • @envelop/graphql-modules npm package
  • GraphQL servers using Envelop and GraphQL Modules
  • Node.js applications relying on @ExecutionContext for auth
  • @envelop/graphql-modules: < Patched Version

Code Analysis

Commit: ab49fa2

fix(graphql-modules): use execution wrapper to avoid race conditions

onExecute({ setExecuteFn, executeFn }) {
  setExecuteFn(
    app.createExecution({
      execute: executeFn,
    }),
  );
}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub (Unit Test): Reproduction test case added in the fix commit showing context swapping.

Mitigation Strategies

  • Upgrade the affected package immediately.
  • Implement concurrent load testing in CI/CD to detect race conditions.
  • Avoid manual lifecycle management of request-scoped dependencies.

Remediation Steps:

  1. Identify if you are using @envelop/graphql-modules in your package.json.
  2. Run npm install @envelop/graphql-modules@latest or yarn upgrade @envelop/graphql-modules.
  3. Verify the installed version contains the fix (compare against the release date of Jan 2026 or later).
  4. Run your integration tests to ensure the new execution wrapper doesn't conflict with other plugins.

References

Read the full report for GHSA-H3HW-29FV-2X75 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)