{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-31496", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-28T13:36:51.299Z", "datePublished": "2025-04-07T20:34:46.624Z", "dateUpdated": "2025-04-08T16:00:33.160Z"}, "containers": {"cna": {"title": "apollo-compiler Named Fragment Processing Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/apollographql/apollo-rs/security/advisories/GHSA-7mpv-9xg6-5r79", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/apollographql/apollo-rs/security/advisories/GHSA-7mpv-9xg6-5r79"}, {"name": "https://github.com/apollographql/apollo-rs/pull/952", "tags": ["x_refsource_MISC"], "url": "https://github.com/apollographql/apollo-rs/pull/952"}], "affected": [{"vendor": "apollographql", "product": "apollo-rs", "versions": [{"version": "< 1.27.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-07T20:34:46.624Z"}, "descriptions": [{"lang": "en", "value": "apollo-compiler is a query-based compiler for the GraphQL query language. Prior to 1.27.0, a vulnerability in Apollo Compiler allowed queries with deeply nested and reused named fragments to be prohibitively expensive to validate. Named fragments were being processed once per fragment spread in some cases during query validation, leading to exponential resource usage when deeply nested and reused fragments were involved. This could lead to excessive resource consumption and denial of service in applications. This vulnerability is fixed in 1.27.0."}], "source": {"advisory": "GHSA-7mpv-9xg6-5r79", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-08T14:21:53.168134Z", "id": "CVE-2025-31496", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T16:00:33.160Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-31496", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-08T14:21:53.168134Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T14:21:54.609Z"}}], "cna": {"title": "apollo-compiler Named Fragment Processing Vulnerability", "source": {"advisory": "GHSA-7mpv-9xg6-5r79", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "apollographql", "product": "apollo-rs", "versions": [{"status": "affected", "version": "< 1.27.0"}]}], "references": [{"url": "https://github.com/apollographql/apollo-rs/security/advisories/GHSA-7mpv-9xg6-5r79", "name": "https://github.com/apollographql/apollo-rs/security/advisories/GHSA-7mpv-9xg6-5r79", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/apollographql/apollo-rs/pull/952", "name": "https://github.com/apollographql/apollo-rs/pull/952", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "apollo-compiler is a query-based compiler for the GraphQL query language. Prior to 1.27.0, a vulnerability in Apollo Compiler allowed queries with deeply nested and reused named fragments to be prohibitively expensive to validate. Named fragments were being processed once per fragment spread in some cases during query validation, leading to exponential resource usage when deeply nested and reused fragments were involved. This could lead to excessive resource consumption and denial of service in applications. This vulnerability is fixed in 1.27.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-07T20:34:46.624Z"}}}, "cveMetadata": {"cveId": "CVE-2025-31496", "state": "PUBLISHED", "dateUpdated": "2025-04-08T16:00:33.160Z", "dateReserved": "2025-03-28T13:36:51.299Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-04-07T20:34:46.624Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "apollo-compiler is a query-based compiler for the GraphQL query language. Prior to 1.27.0, a vulnerability in Apollo Compiler allowed queries with deeply nested and reused named fragments to be prohibitively expensive to validate. Named fragments were being processed once per fragment spread in some cases during query validation, leading to exponential resource usage when deeply nested and reused fragments were involved. This could lead to excessive resource consumption and denial of service in applications. This vulnerability is fixed in 1.27.0."}, {"lang": "es", "value": "apollo-compiler es un compilador basado en consultas para el lenguaje de consulta GraphQL. Antes de la versi\u00f3n 1.27.0, una vulnerabilidad en Apollo Compiler hac\u00eda que la validaci\u00f3n de consultas con fragmentos con nombre profundamente anidados y reutilizados fuera extremadamente costosa. En algunos casos, los fragmentos con nombre se procesaban una vez por fragmento distribuido durante la validaci\u00f3n de consultas, lo que provocaba un consumo exponencial de recursos al usar fragmentos profundamente anidados y reutilizados. Esto pod\u00eda provocar un consumo excesivo de recursos y denegaci\u00f3n de servicio en las aplicaciones. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 1.27.0."}], "id": "CVE-2025-31496", "lastModified": "2025-04-08T18:13:53.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-04-07T21:15:42.720", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/apollographql/apollo-rs/pull/952"}, {"source": "security-advisories@github.com", "url": "https://github.com/apollographql/apollo-rs/security/advisories/GHSA-7mpv-9xg6-5r79"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}