Low severity3.7NVD Advisory· Published Jun 12, 2024· Updated Apr 15, 2026
CVE-2023-49559
CVE-2023-49559
Description
An issue in vektah gqlparser open-source-library v.2.5.10 allows a remote attacker to cause a denial of service via a crafted script to the parserDirectives function.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/vektah/gqlparser/v2Go | < 2.5.14 | 2.5.14 |
github.com/vektah/gqlparserGo | < 2.5.14 | 2.5.14 |
Patches
136a3658873bfAdd ParseQueryWithLimit (#304)
1 file changed · +9 −1
parser/query.go+9 −1 modified@@ -9,7 +9,15 @@ import ( func ParseQuery(source *Source) (*QueryDocument, error) { p := parser{ lexer: lexer.New(source), - maxTokenLimit: 0, // 0 is the default value + maxTokenLimit: 0, // 0 means unlimited + } + return p.parseQueryDocument(), p.err +} + +func ParseQueryWithTokenLimit(source *Source, maxTokenLimit int) (*QueryDocument, error) { + p := parser{ + lexer: lexer.New(source), + maxTokenLimit: maxTokenLimit, } return p.parseQueryDocument(), p.err }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-2hmf-46v7-v6fxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-49559ghsaADVISORY
- gist.github.com/uvzz/d3ed9d4532be16ec1040a2cf3dfec8d1nvdWEB
- github.com/99designs/gqlgen/issues/3118ghsaWEB
- github.com/vektah/gqlparser/blob/master/parser/query.goghsaWEB
- github.com/vektah/gqlparser/commit/36a3658873bf5a107f42488dfc392949cdd02977ghsaWEB
News mentions
0No linked articles in our index yet.