216.73.217.80

CVE-2025-27097

· Published 20/02/2025 21:15 · Modified 27/02/2025 20:27

Labels: CVE-2025-27097 2025-02-20CVE-2025-27097CWE-400CWE-401[email protected]

Essential information

Published
20/02/2025 21:15
Modified
27/02/2025 20:27
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. When a user transforms on the root level or single source with transforms, and the client sends the same query with different variables, the initial variables are used in all following requests until the cache evicts DocumentNode. If a token is sent via variables, the following requests will act like the same token is sent even if the following requests have different tokens. This can cause a short memory leak but it won't grow per each request but per different operation until the cache evicts DocumentNode by LRU mechanism.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
the-guild / graphql mesh cpe:2.3:a:the-guild:graphql_mesh:0.96.5:*:*:*:*:node.js:*:*
the-guild / graphql mesh cpe:2.3:a:the-guild:graphql_mesh:0.96.6:*:*:*:*:node.js:*:*
the-guild / graphql mesh cpe:2.3:a:the-guild:graphql_mesh:0.96.7:*:*:*:*:node.js:*:*
the-guild / graphql mesh cpe:2.3:a:the-guild:graphql_mesh:0.96.8:*:*:*:*:node.js:*:*

References