Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits

Summary Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large...

Prime cross-site request forgeing vulnerability

Prime is a content management system developed by Birkir Gudjonsson. Versions of Prime prior to 0.4.0.beta.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from cross-site request forgery in the GraphQL endpoints, which could allow attackers to trigger...

Gitlab -- vulnerabilities

Gitlab reports: Cross-site scripting issue in Wiki impacts GitLab CE/EE Improper encoding in vulnerability reports impacts GitLab CE/EE Cross-site scripting issue in Swagger UI impacts GitLab CE/EE Denial of service issue in GraphQL endpoints impacts GitLab CE/EE Authentication bypass issue for...

EUVD-2024-0355

Malicious code in bioql PyPI...

CVE-2025-8014

Denial of Service issue in GraphQL endpoints in Gitlab EE/CE affecting all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 allows unauthenticated users to potentially bypass query complexity limits leading to resource exhaustion and service disruption...

CVE-2025-8014 Allocation of Resources Without Limits or Throttling in GitLab

Denial of Service issue in GraphQL endpoints in Gitlab EE/CE affecting all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 allows unauthenticated users to potentially bypass query complexity limits leading to resource exhaustion and service disruption...

CVE-2025-8014

Removed by vendor...

CVE-2025-8014

CVE-2025-8014 affects GitLab CE/EE where unauthenticated users could bypass query complexity limits on GraphQL endpoints, potentially causing resource exhaustion and DoS. Affected versions include GitLab 11.10 up to 18.2.7, 18.3 up to 18.3.3, and 18.4 up to 18.4.1. The vulnerability stems from un...

CVE-2023-46942

Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints...

Improper Authorization

@evershop/evershop is vulnerable to Improper Authorization. The vulnerability is due to lack of authorization checks while accessing GraphQL endpoints, resulting in Remote attackers extracting sensitive information...

PT-2024-11510 · WordPress · Wpgraphql Woocommerce

Name of the Vulnerable Software and Affected Versions: WPGraphQL WooCommerce WordPress plugin versions prior to 0.12.4 Description: The issue allows unauthenticated attackers to enumerate a shop's coupon codes and values via GraphQL. This can be done through GraphQL endpoints, potentially exposin...

GHSA-GGPM-9QFX-MHWG EverShop vulnerable to improper authorization in GraphQL endpoints

Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.9, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints...

CVE-2023-46942

Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints...

PT-2024-13390 · Npm · @Evershop/Evershop

Name of the Vulnerable Software and Affected Versions: @evershop/evershop versions prior to 1.0.0-rc.8 Description: The issue is related to a lack of authentication in the @evershop/evershop package, which allows remote attackers to obtain sensitive information via improper authorization in Graph...

DDOS attack on graphql endpoints

An attacker could use a specially crafted graphql query to execute a Distributed Denial of Service attack DDOS attack against a website. This mostly affects websites with publicly exposed and particularly large/complex graphql schemas. If your Silverstripe CMS project does not expose a public...

GHSA-67G8-C724-8MP3 DDOS attack on graphql endpoints

An attacker could use a specially crafted graphql query to execute a Distributed Denial of Service attack DDOS attack against a website. This mostly affects websites with publicly exposed and particularly large/complex graphql schemas. If your Silverstripe CMS project does not expose a public...

CVE-2023-28104 DDOS attack on graphql endpoints

More info at https://www.silverstripe.org/download/security-releases/CVE-2023-28104...

PT-2020-18975 · Silverstripe · Silverstripe

Name of the Vulnerable Software and Affected Versions: SilverStripe version 4.5.0 Description: The issue allows attackers to read certain records that should not have been placed into a result set. This is due to the automatic permission-checking mechanism in the silverstripe/graphql module not...