5.3

CVE-2023-26144

Exploit
Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.

**Note:** It was not proven that this vulnerability can crash the process.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GraphqlGraphql SwPlatformnode.js Version >= 16.3.0 < 16.8.1
GraphqlGraphql Version17.0.0 Updatealpha1 SwPlatformnode.js
GraphqlGraphql Version17.0.0 Updatealpha2 SwPlatformnode.js
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.2% 0.641
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
report@snyk.io 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://github.com/graphql/graphql-js/commit/f94b511386c7e47bd0380dcd56553dc063320226
Patch
https://github.com/graphql/graphql-js/issues/3955
Third Party Advisory
Exploit
Issue Tracking
https://github.com/graphql/graphql-js/pull/3972
Product
https://github.com/graphql/graphql-js/releases/tag/v16.8.1
Release Notes
https://security.snyk.io/vuln/SNYK-JS-GRAPHQL-5905181
Patch
Third Party Advisory
Exploit
Issue Tracking