CVE-2025-31496 – apollo-compiler

Package

Manager: cargo
Name: apollo-compiler
Vulnerable Version: >=0 <1.27.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00091 pctl0.26749

Details

Apollo Compiler Named Fragment Processing Vulnerability # Impact ## Summary A vulnerability in Apollo Compiler allowed queries with deeply nested and reused named fragments to be prohibitively expensive to validate. This could lead to excessive resource consumption and denial of service in applications. ## Details Named fragments were being processed once per fragment spread in some cases during query validation, leading to exponential resource usage when deeply nested and reused fragments were involved. ## Fix/Mitigation The validation logic has been updated to process each named fragment only once, preventing redundant traversal. # Patches This has been remediated in `apollo-compiler` version 1.27.0. # Workarounds No known direct workarounds exist. ## Acknowledgements We appreciate the efforts of the security community in identifying and improving the performance and security of query validation mechanisms.

Metadata

Created: 2025-04-07T19:09:14Z
Modified: 2025-04-08T17:49:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-7mpv-9xg6-5r79/GHSA-7mpv-9xg6-5r79.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-7mpv-9xg6-5r79
Finding: F067
Auto approve: 1