CVE-2023-26144

CVSS V2 None CVSS V3 None

Description

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.

Overview

CVE ID
CVE-2023-26144

Assigner
snyk

Vulnerability Status
PUBLISHED

Published Version
2023-09-20T05:00:02.129Z

Last Modified Date
2023-09-20T05:00:02.129Z

Weakness Enumerations

CWE	URL
CWE-400	http://cwe.mitre.org/data/definitions/400.html

References

Reference URL	Reference Tags
https://security.snyk.io/vuln/SNYK-JS-GRAPHQL-5905181
https://github.com/graphql/graphql-js/pull/3972
https://github.com/graphql/graphql-js/issues/3955
https://github.com/graphql/graphql-js/commit/f94b511386c7e47bd0380dcd56553dc063320226
https://github.com/graphql/graphql-js/releases/tag/v16.8.1

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-26144
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26144

History

Created	Old Value	New Value	Data Type	Notes
2024-06-24 23:18:38				Added to TrackCVE