CVE-2023-26144 : Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.

Published 2023-09-20 05:15:40

Updated 2023-09-22 14:05:11

Source Snyk

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2023-26144

Graphql » Graphql » For Node.js
Versions from including (>=) 16.3.0 and before (<) 16.8.1
cpe:2.3:a:graphql:graphql:*:*:*:*:*:node.js:*:*
Matching versions
Graphql » Graphql » Version: 17.0.0 Update Alpha1 For Node.js
cpe:2.3:a:graphql:graphql:17.0.0:alpha1:*:*:*:node.js:*:*
Matching versions
Graphql » Graphql » Version: 17.0.0 Update Alpha2 For Node.js
cpe:2.3:a:graphql:graphql:17.0.0:alpha2:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-26144

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 42 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-26144

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	Snyk
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2023-26144

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-26144

https://github.com/graphql/graphql-js/releases/tag/v16.8.1

Release v16.8.1 · graphql/graphql-js · GitHub
Release Notes
https://github.com/graphql/graphql-js/pull/3972

Release 16.8.1 to address resource exhaustion vulnerability by AaronMoat · Pull Request #3972 · graphql/graphql-js · GitHub
Product
https://github.com/graphql/graphql-js/commit/f94b511386c7e47bd0380dcd56553dc063320226

OverlappingFieldsCanBeMergedRule: Fix performance degradation (#3958) · graphql/graphql-js@f94b511 · GitHub
Patch
https://security.snyk.io/vuln/SNYK-JS-GRAPHQL-5905181

Denial of Service (DoS) in graphql | CVE-2023-26144 | Snyk
Exploit;Issue Tracking;Patch;Third Party Advisory
https://github.com/graphql/graphql-js/issues/3955

Resource exhaustion exploit when parsing queries · Issue #3955 · graphql/graphql-js · GitHub
Exploit;Issue Tracking;Third Party Advisory

Jump to

Vulnerability Details : CVE-2023-26144

Products affected by CVE-2023-26144

Exploit prediction scoring system (EPSS) score for CVE-2023-26144

CVSS scores for CVE-2023-26144

CWE ids for CVE-2023-26144

References for CVE-2023-26144