Bug 2239924 (CVE-2023-26144)

Summary: CVE-2023-26144 graphql: Insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, dsimansk, gparvin, jburrell, jkoehler, lball, matzew, njean, owatkins, pahickey, rhuss, rogbas, sdawley, stcannon, teagle, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: graphql 16.8.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the graphql package. Affected versions of this package are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This issue may allow an attacker to degrade system performance.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2239925    

Description Pedro Sampaio 2023-09-20 20:05:29 UTC 
Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.

**Note:** It was not proven that this vulnerability can crash the process.

References:

https://github.com/graphql/graphql-js/commit/f94b511386c7e47bd0380dcd56553dc063320226
https://github.com/graphql/graphql-js/pull/3972
https://security.snyk.io/vuln/SNYK-JS-GRAPHQL-5905181
https://github.com/graphql/graphql-js/issues/3955
https://github.com/graphql/graphql-js/releases/tag/v16.8.1