Security Bulletin: Denial of service vulnerability in IBM WebSphere Application Server Liberty may affect IBM Storage Protect Operations Center (CVE-2024-40094).

Summary IBM Storage Protect Operations Center may be affected by denial of service caused by failure to consider ExecutableNormalizedFields in Open-source GraphQL Java library used by IBM WebSphere Application Server Liberty. Vulnerability Details CVEID:CVE-2024-40094 DESCRIPTION: GraphQL Java ak...

Omitted Break Statement in Switch

Overview api-platform/core is a builds a fully-featured hypermedia or GraphQL API in minutes. Affected versions of this package are vulnerable to Omitted Break Statement in Switch in the provide function in AccessCheckerProvider.php, accessible via the GraphQL endpoint. An attacker can bypass...

GHSA-7MXX-3CGM-XXV3 API Platform Core does not call GraphQl securityAfterResolver

Summary A security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in this clause: https://github.com/api-platform/core/pull/6444/filesdiff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56...

API Platform Core does not call GraphQl securityAfterResolver

Summary A security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in this clause: https://github.com/api-platform/core/pull/6444/filesdiff-09e3c2cfe12a2ce65bd6c983c7ca6bfcf783f852b8d0554bb938e8ebf5e5fa65R56...

CVE-2025-23204

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to security, the impact is there only when...

CVE-2025-23204 GraphQl securityAfterResolver not called

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to security, the impact is there only when...

CVE-2025-23204 GraphQl securityAfterResolver not called

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to security, the impact is there only when...

CVE-2025-23204

The CVE affects api-platform/core. Starting in version 3.3.8, a logic flaw in the GraphQL security flow is caused by an omitted break in the AccessCheckerProvider switch that is supposed to run after GraphQL resolvers; this fallback can bypass security checks if there is only a post-resolver secu...

CVE-2025-23204 GraphQl securityAfterResolver not called

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to security, the impact is there only when...

CVE-2025-0453

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to...

GHSA-49M6-VRR9-2CQM MLflow Uncontrolled Resource Consumption vulnerability

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to...

CVE-2025-0453

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to...

CVE-2025-0453

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to...

CVE-2025-0453 Denial of Service through Batched Queries in GraphQL in mlflow/mlflow

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to...

CVE-2025-0453 Denial of Service through Batched Queries in GraphQL in mlflow/mlflow

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to...

MLflow 安全漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. A security vulnerability exists in MLflow version 2.17.2, which stems from a possible denial-of-servic...

PT-2025-12315 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: mlflow/mlflow version 2.17.2 Description: The /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment, tying up all the workers...

Remote Code Execution (RCE)

graphql-ruby is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe schema loading due to the ability to execute arbitrary code when processing a malicious schema definition using GraphQL::Schema.fromintrospection or GraphQL::Schema::Loader.load from an untrusted source...

OSV-2025-215 Security exception in graphql.parser.GraphqlAntlrToLanguage.createType

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=403877661 Crash type: Security exception Crash state: graphql.parser.GraphqlAntlrToLanguage.createType graphql.parser.GraphqlAntlrToLanguage.createListType graphql.parser.GraphqlAntlrToLanguage.createNonNullType...

This Week in Spring – March 18th, 2025

Hi, Spring fans! I just got back from the amazing JavaOne show held in Redwood Shores. It was a fun, uproarious event and a great chance to reconnect with tons of friends, old and new. I love this community! One of the central highlights of this show? Java 24 is here, finally! And, as usual, we'v...