CVE-2023-26144

MEDIUM

graphql 16.3.0-16.8.1 - Denial of Service via Large Query Parsing

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-26144. PoCs published by tadhglewis.

AI-analyzed exploit summary The repository contains only a README with a CVE reference and a pnpm-lock.yaml file, but no actual exploit code or technical details. It appears to be a minimal setup for a GraphQL server using Apollo and Koa, but lacks any PoC or analysis.

Description

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.

Exploits (1)

nomisec STUB 1 stars
by tadhglewis · poc
https://github.com/tadhglewis/apollo-koa-minimal

The repository contains only a README with a CVE reference and a pnpm-lock.yaml file, but no actual exploit code or technical details. It appears to be a minimal setup for a GraphQL server using Apollo and Koa, but lacks any PoC or analysis.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Apollo Server with GraphQL
No auth needed
Prerequisites: None identified
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 5.3
EPSS 0.0214
EPSS Percentile 84.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-400
Status published
Products (3)
graphql/graphql 17.0.0 alpha1 (2 CPE variants)
graphql/graphql 16.3.0 - 16.8.1
npm/graphql 16.3.0 - 16.8.1npm
Published Sep 20, 2023
Tracked Since Feb 18, 2026