Moderate severityOSV Advisory· Published Sep 20, 2023· Updated Sep 24, 2024
CVE-2023-26144
CVE-2023-26144
Description
Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. Note: It was not proven that this vulnerability can crash the process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
graphqlnpm | >= 16.3.0, < 16.8.1 | 16.8.1 |
Affected products
2- Range: v16.3.0, v16.4.0, v16.5.0, …
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-9pv7-vfvm-6vr7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26144ghsaADVISORY
- github.com/graphql/graphql-js/commit/8f4c64eb6a7112a929ffeef00caa67529b3f2fcfghsaWEB
- github.com/graphql/graphql-js/issues/3955ghsaWEB
- github.com/graphql/graphql-js/pull/3972ghsaWEB
- github.com/graphql/graphql-js/releases/tag/v16.8.1ghsaWEB
- security.snyk.io/vuln/SNYK-JS-GRAPHQL-5905181ghsaWEB
- github.com/graphql/graphql-js/commit/f94b511386c7e47bd0380dcd56553dc063320226mitre
News mentions
0No linked articles in our index yet.