CVE-2025-27097

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. When a user transforms on the root level or single source with transforms, and the client sends the same query with different variables, the initial variables are used in all following requests until the cache evicts DocumentNode. If a token is sent via variables, the following requests will act like the same token is sent even if the following requests have different tokens. This can cause a short memory leak but it won't grow per each request but per different operation until the cache evicts DocumentNode by LRU mechanism.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-rr4x-crhf-8886	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:the-guild:graphql_mesh:0.96.5:::::node.js::
	cpe:2.3:a:the-guild:graphql_mesh:0.96.6:::::node.js::
	cpe:2.3:a:the-guild:graphql_mesh:0.96.7:::::node.js::
	cpe:2.3:a:the-guild:graphql_mesh:0.96.8:::::node.js::

History

27 Feb 2025, 20:18

Type	Values Removed	Values Added
CPE		cpe:2.3:a:the-guild:graphql_mesh:0.96.7:::::node.js:: cpe:2.3:a:the-guild:graphql_mesh:0.96.5:::::node.js:: cpe:2.3:a:the-guild:graphql_mesh:0.96.8:::::node.js:: cpe:2.3:a:the-guild:graphql_mesh:0.96.6:::::node.js::
Summary		(es) GraphQL Mesh es un framework de trabajo y una puerta de enlace de GraphQL Federation para GraphQL Federation y subgrafos que no son de GraphQL Federation, servicios que no son de GraphQL, como REST y gRPC, y también bases de datos como MongoDB, MySQL y PostgreSQL. Cuando un usuario realiza una transformación en el nivel superusuario o en una única fuente con transformaciones, y el cliente envía la misma consulta con diferentes variables, las variables iniciales se utilizan en todas las solicitudes siguientes hasta que la memoria caché expulsa a DocumentNode. Si se envía un token a través de variables, las solicitudes siguientes actuarán como si se enviara el mismo token, incluso si las solicitudes siguientes tienen tokens diferentes. Esto puede provocar una breve pérdida de memoria, pero no aumentará con cada solicitud, sino con cada operación diferente hasta que la memoria caché expulse a DocumentNode mediante el mecanismo LRU.
First Time		The-guild graphql Mesh The-guild
References	~~() https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-rr4x-crhf-8886 -~~	() https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-rr4x-crhf-8886 - Vendor Advisory
CWE		CWE-401
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

20 Feb 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-20 21:15

Updated : 2025-02-27 20:18

NVD link : CVE-2025-27097

Mitre link : CVE-2025-27097

CVE.ORG link : CVE-2025-27097

JSON object : View

Products Affected

the-guild

graphql_mesh

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-401

Missing Release of Memory after Effective Lifetime

7.5 /10