CVE-2024-40094

MEDIUM

GraphQL Java <21.5 - DoS

Title source: llm

Description

GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.

Exploits (1)

nomisec WORKING POC 3 stars

by kabiri-labs · poc

https://github.com/kabiri-labs/CVE-2024-40094

View Code ZIP pw:eip

References (6)

[Various Sources] https://github.com/graphql-java/graphql-java/discussions/3641

[Patch] https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a

[Issue Tracking] https://github.com/graphql-java/graphql-java/pull/3539

[Release Notes] https://github.com/graphql-java/graphql-java/releases/tag/v19.11

[Release Notes] https://github.com/graphql-java/graphql-java/releases/tag/v20.9

[Release Notes] https://github.com/graphql-java/graphql-java/releases/tag/v21.5

Scores

CVSS v3 5.3

EPSS 0.1753

EPSS Percentile 95.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

Status published

Products (1)

com.graphql-java/graphql-java 0 - 19.11Maven

Published Jul 30, 2024

Tracked Since Feb 18, 2026