CVE-2023-26144 – graphql

Package

Manager: npm
Name: graphql
Vulnerable Version: >=16.3.0 <16.8.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00966 pctl0.75697

Details

graphql Uncontrolled Resource Consumption vulnerability Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.

Metadata

Created: 2023-09-20T06:30:50Z
Modified: 2023-09-21T17:03:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-9pv7-vfvm-6vr7/GHSA-9pv7-vfvm-6vr7.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-9pv7-vfvm-6vr7
Finding: F002
Auto approve: 1