5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P
A flaw was found in the graphql package. Affected versions of this package are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This issue may allow an attacker to degrade system performance.
bugzilla.redhat.com/show_bug.cgi?id=2239924
github.com/graphql/graphql-js/commit/f94b511386c7e47bd0380dcd56553dc063320226
github.com/graphql/graphql-js/issues/3955
github.com/graphql/graphql-js/pull/3972
github.com/graphql/graphql-js/releases/tag/v16.8.1
nvd.nist.gov/vuln/detail/CVE-2023-26144
security.snyk.io/vuln/SNYK-JS-GRAPHQL-5905181
www.cve.org/CVERecord?id=CVE-2023-26144