CVE-2026-23897
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| apollographql | apollo-server | >= 2.0.0, <= 3.13.0 | affected |
| apollographql | apollo-server | >= 4.2.0, < 4.13.0 | affected |
| apollographql | apollo-server | >= 5.0.0, < 5.4.0 | affected |
Weaknesses
- CWE-1333: CWE-1333: Inefficient Regular Expression Complexity
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7
- https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643
- https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.