7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
20.7%
graphql-java is vulnerable to denial-of-service. The vulnerability exists because ANTLR lexing and parsing code is taking proportionally longer to get to the max token state which allows a remote attacker to send a malicious GraphQL query that consumes CPU resources resulting in an application crash.
github.com/advisories/GHSA-v62j-cxhh-fq22
github.com/graphql-java/graphql-java/commit/0256fd0627148e5b71218e424c310f48b066a041
github.com/graphql-java/graphql-java/commit/7f27a046c1cb133ede2fa64ffe5a499ad4c0b223
github.com/graphql-java/graphql-java/commit/cb88645bec5778c1a90f81e58bd394bdc605c166
github.com/graphql-java/graphql-java/discussions/2958
github.com/graphql-java/graphql-java/issues/2888
github.com/graphql-java/graphql-java/pull/2892
github.com/graphql-java/graphql-java/releases
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
20.7%