CVE-2025-27097

Cache variables with the operations when transforms exist on the root level even if variables change in the further requests with the same operation

Description

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. When a user transforms on the root level or single source with transforms, and the client sends the same query with different variables, the initial variables are used in all following requests until the cache evicts DocumentNode. If a token is sent via variables, the following requests will act like the same token is sent even if the following requests have different tokens. This can cause a short memory leak but it won't grow per each request but per different operation until the cache evicts DocumentNode by LRU mechanism.

References

Link	Tags
https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-rr4x-crhf-8886	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2025-27097?: CVE-2025-27097 has been scored as a medium severity vulnerability.
How to fix CVE-2025-27097?: To fix CVE-2025-27097, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-27097 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-27097 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-27097?: CVE-2025-27097 affects ardatan graphql-mesh.

Description

Categories

CWE-400 – Uncontrolled Resource Consumption

CWE-401 – Missing Release of Memory after Effective Lifetime

References

Frequently Asked Questions