CVE-2024-47614

HIGH

async-graphql < 7.0.10 - Resource Exhaustion via Unlimited Directive Count

Title source: llm

Description

async-graphql is a GraphQL server library implemented in Rust. async-graphql before 7.0.10 does not limit the number of directives for a field. This can lead to Service Disruption, Resource Exhaustion, and User Experience Degradation. This vulnerability is fixed in 7.0.10.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/async-graphql/async-graphql/security/advisories/GHSA-5gc2-7c65-8fq8

Patch x_refsource_misc

https://github.com/async-graphql/async-graphql/commit/7f1791488463d4e9c5adcd543962173e2f6cbd34

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0055

EPSS Percentile 41.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (2)

async-graphql/async-graphql < 7.0.10

crates.io/async-graphql 0 - 7.0.10crates.io

Published Oct 03, 2024

Tracked Since Feb 18, 2026