2239924 – (CVE-2023-26144) CVE-2023-26144 graphql: Insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries

Bug 2239924 (CVE-2023-26144) - CVE-2023-26144 graphql: Insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries

Summary: CVE-2023-26144 graphql: Insufficient checks in the OverlappingFieldsCanBeMerg...

Keywords:
Status:	NEW
Alias:	CVE-2023-26144
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2239925
TreeView+	depends on / blocked

Reported:	2023-09-20 20:05 UTC by Pedro Sampaio
Modified:	2025-05-06 08:29 UTC (History)
CC List:	16 users (show)
Fixed In Version:	graphql 16.8.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2023-09-20 20:05:29 UTC

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.

**Note:** It was not proven that this vulnerability can crash the process.

References:

https://github.com/graphql/graphql-js/commit/f94b511386c7e47bd0380dcd56553dc063320226
https://github.com/graphql/graphql-js/pull/3972
https://security.snyk.io/vuln/SNYK-JS-GRAPHQL-5905181
https://github.com/graphql/graphql-js/issues/3955
https://github.com/graphql/graphql-js/releases/tag/v16.8.1

Note You need to log in before you can comment on or make changes to this bug.