Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for apollo_server by apollographql

    CVE-2026-23897 (GCVE-0-2026-23897)

    Vulnerability from nvd – Published: 2026-02-04 19:18 – Updated: 2026-02-04 19:55
    VLAI
    Title
    Apollo Server is vulnerable to denial of service with `startStandaloneServer`
    Summary
    Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    apollographql apollo-server Affected: >= 2.0.0, <= 3.13.0
    Affected: >= 4.2.0, < 4.13.0
    Affected: >= 5.0.0, < 5.4.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23897",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T19:55:05.118322Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T19:55:22.294Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "apollo-server",
              "vendor": "apollographql",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c= 3.13.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c 4.13.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.4.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Apollo Server is an open-source, spec-compliant GraphQL server that\u0027s compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-04T19:18:59.957Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7"
            },
            {
              "name": "https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643"
            },
            {
              "name": "https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4"
            }
          ],
          "source": {
            "advisory": "GHSA-mp6q-xf9x-fwf7",
            "discovery": "UNKNOWN"
          },
          "title": "Apollo Server is vulnerable to denial of service with `startStandaloneServer`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23897",
        "datePublished": "2026-02-04T19:18:59.957Z",
        "dateReserved": "2026-01-16T21:02:02.903Z",
        "dateUpdated": "2026-02-04T19:55:22.294Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23897 (GCVE-0-2026-23897)

    Vulnerability from cvelistv5 – Published: 2026-02-04 19:18 – Updated: 2026-02-04 19:55
    VLAI
    Title
    Apollo Server is vulnerable to denial of service with `startStandaloneServer`
    Summary
    Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    apollographql apollo-server Affected: >= 2.0.0, <= 3.13.0
    Affected: >= 4.2.0, < 4.13.0
    Affected: >= 5.0.0, < 5.4.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23897",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T19:55:05.118322Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T19:55:22.294Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "apollo-server",
              "vendor": "apollographql",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c= 3.13.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c 4.13.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.4.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Apollo Server is an open-source, spec-compliant GraphQL server that\u0027s compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-04T19:18:59.957Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7"
            },
            {
              "name": "https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643"
            },
            {
              "name": "https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4"
            }
          ],
          "source": {
            "advisory": "GHSA-mp6q-xf9x-fwf7",
            "discovery": "UNKNOWN"
          },
          "title": "Apollo Server is vulnerable to denial of service with `startStandaloneServer`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23897",
        "datePublished": "2026-02-04T19:18:59.957Z",
        "dateReserved": "2026-01-16T21:02:02.903Z",
        "dateUpdated": "2026-02-04T19:55:22.294Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }