CVE-2025-27097

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Feb 20, 2025

Updated: Feb 27, 2025

CWE ID 400

CWE ID 401

Summary

CVE-2025-27097 is a vulnerability affecting GraphQL Mesh, a GraphQL Federation framework and gateway. When a user transforms queries on the root level or single source, and the client sends the same query with different variables, the initial variables are utilized in subsequent requests until the cache evicts DocumentNode. This can lead to a short-term memory leak, where a token sent via variables is inadvertently used in subsequent requests, even if they bear different tokens. The issue does not escalate with each request but only with different operations until the cache evicts DocumentNode based on the Least Recently Used (LRU) mechanism.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database