Cyber Resilience

CVE-2024-40094

Medium

Published: 30 July 2024

Published
30 July 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.1753 95.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40094 is a medium-severity an unspecified weakness vulnerability. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

GraphQL Java, also known as graphql-java, contains a vulnerability in versions prior to 21.5 where ExecutableNormalizedFields are not properly accounted for when blocking denial-of-service conditions that can arise from introspection queries. The issue was also addressed in the backported releases 20.9 and 19.11. The flaw received a CVSS 3.1 base score of 5.3 with a vector indicating network attackability without authentication or user interaction.

An unauthenticated remote attacker can submit specially crafted introspection queries against an affected application that uses the library, resulting in limited integrity impact on the targeted system. The attack does not require privileges or user interaction and can be performed over the network.

The project addressed the issue through commit 97743bc, pull request 3539, and the corresponding GitHub releases for versions 19.11, 20.9, and 21.5. The EPSS score remains flat at 0.1753 with no material increase after disclosure.

EU & UK References

Vulnerability details

GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References