GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.
This issue has been addressed in the following products: Cryostat 3 on RHEL 8 Via RHSA-2024:8329 https://access.redhat.com/errata/RHSA-2024:8329
This issue has been addressed in the following products: RHOSS-1.35-RHEL-8 Via RHSA-2025:0664 https://access.redhat.com/errata/RHSA-2025:0664