CVE-2023-26144

MEDIUM

graphql <16.8.1 - DoS

Title source: llm

Description

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.

Exploits (1)

nomisec STUB 1 stars

by tadhglewis · poc

https://github.com/tadhglewis/apollo-koa-minimal

View Code ZIP pw:eip

References (5)

[Patch] https://github.com/graphql/graphql-js/commit/f94b511386c7e47bd0380dcd56553dc063320226

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/graphql/graphql-js/issues/3955

[Product] https://github.com/graphql/graphql-js/pull/3972

[Release Notes] https://github.com/graphql/graphql-js/releases/tag/v16.8.1

[Exploit, Issue Tracking, Patch, Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-GRAPHQL-5905181

Scores

CVSS v3 5.3

EPSS 0.0280

EPSS Percentile 86.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE

CWE-400

Status published

Products (3)

graphql/graphql 17.0.0 alpha1 (2 CPE variants)

graphql/graphql 16.3.0 - 16.8.1

npm/graphql 16.3.0 - 16.8.1npm

Published Sep 20, 2023

Tracked Since Feb 18, 2026