CVE-2025-27097

Feb. 27, 2025, 8:27 p.m.

7.5
High

Description

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. When a user transforms on the root level or single source with transforms, and the client sends the same query with different variables, the initial variables are used in all following requests until the cache evicts DocumentNode. If a token is sent via variables, the following requests will act like the same token is sent even if the following requests have different tokens. This can cause a short memory leak but it won't grow per each request but per different operation until the cache evicts DocumentNode by LRU mechanism.

Product(s) Impacted

Vendor Product Versions
The-guild
  • Graphql Mesh
  • 0.96.5, 0.96.6, 0.96.7, 0.96.8

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-400
Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CWE-401
Missing Release of Memory after Effective Lifetime
The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a the-guild graphql_mesh 0.96.5 / / / / node.js / /
a the-guild graphql_mesh 0.96.6 / / / / node.js / /
a the-guild graphql_mesh 0.96.7 / / / / node.js / /
a the-guild graphql_mesh 0.96.8 / / / / node.js / /

References

https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-rr4x-crhf-8886

Tags

security-advisories@github.com
CWE-400
CWE-401
2025-02-20
CVE-2025-27097

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Feb. 20, 2025, 9:15 p.m.
Last Modified: Feb. 27, 2025, 8:27 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.