14 matches found
webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments
Summary OverlappingFieldsCanBeMerged validation rule has On^2 x m^2 worst case via flattened inline fragments. The CVE-2023-26144 named-fragment cache does not cover inline fragments. A 364 KB query 200 outer x 100 inner inline fragments consumes 117 seconds of CPU per request, with no comparison...
GHSA-FC86-6RV6-2JPM webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments
Summary OverlappingFieldsCanBeMerged validation rule has On^2 x m^2 worst case via flattened inline fragments. The CVE-2023-26144 named-fragment cache does not cover inline fragments. A 364 KB query 200 outer x 100 inner inline fragments consumes 117 seconds of CPU per request, with no comparison...
CVE-2025-32380 Apollo Router Query Validation Vulnerable to Excessive Resource Consumption via Named Fragment Processing
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. A vulnerability in Apollo Router's usage of Apollo Compiler allowed queries with deeply nested and reused named fragments to be prohibitively...
CVE-2025-32034 Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, a vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively...
CVE-2025-32034 Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, a vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively...
CVE-2025-32030
CVE-2025-32030 concerns Apollo Gateway (GraphQL federation). The vulnerability occurs prior to version 2.10.1, where queries using deeply nested and reused named fragments could trigger prohibitively expensive query planning. Specifically, named fragments were expanded once per fragment spread du...
CVE-2025-31496
CVE-2025-31496 affects the Apollo Compiler (GraphQL) prior to version 1.27.0. The vulnerability arises from how deeply nested and reused named fragments are validated, where each named fragment could be processed once per fragment spread, causing exponential resource consumption and potential den...
CVE-2025-31496 apollo-compiler Named Fragment Processing Vulnerability
apollo-compiler is a query-based compiler for the GraphQL query language. Prior to 1.27.0, a vulnerability in Apollo Compiler allowed queries with deeply nested and reused named fragments to be prohibitively expensive to validate. Named fragments were being processed once per fragment spread in...
CVE-2025-31496 apollo-compiler Named Fragment Processing Vulnerability
apollo-compiler is a query-based compiler for the GraphQL query language. Prior to 1.27.0, a vulnerability in Apollo Compiler allowed queries with deeply nested and reused named fragments to be prohibitively expensive to validate. Named fragments were being processed once per fragment spread in...
GHSA-7MPV-9XG6-5R79 Apollo Compiler Named Fragment Processing Vulnerability
Impact Summary A vulnerability in Apollo Compiler allowed queries with deeply nested and reused named fragments to be prohibitively expensive to validate. This could lead to excessive resource consumption and denial of service in applications. Details Named fragments were being processed once per...
GHSA-Q2F9-X4P4-7XMH Apollo Gateway Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion
Impact Summary A vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. This could lead to excessive resource consumption and denial of service. Details Named fragment...
GHSA-3J43-9V8V-CP3F Apollo Router Query Validation Vulnerable to Excessive Resource Consumption via Named Fragment Processing
Impact Summary A vulnerability in Apollo Router's usage of Apollo Compiler allowed queries with deeply nested and reused named fragments to be prohibitively expensive to validate. This could lead to excessive resource consumption and denial of service. Details Named fragments were being processed...
Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion
Impact Summary A vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. This could lead to excessive resource consumption and denial of service. Details Named fragments...
GHSA-75M2-JHH5-J5G2 Apollo Router Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion
Impact Summary A vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. This could lead to excessive resource consumption and denial of service. Details Named fragments...