7.5
CVE-2026-23897
- EPSS 0.63%
- Veröffentlicht 04.02.2026 19:18:59
- Zuletzt bearbeitet 18.03.2026 13:06:52
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginApollo Server is vulnerable to denial of service with `startStandaloneServer`
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Apollographql ≫ Apollo Server Version >= 2.0.0 <= 3.13.0
Apollographql ≫ Apollo Server Version >= 4.2.0 < 4.13.0
Apollographql ≫ Apollo Server Version >= 5.0.0 < 5.4.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.63% | 0.453 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-1333 Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7
https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643
https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4