Cyber Resilience

CVE-2025-27097

Medium

Published: 20 February 2025

Published
20 February 2025
Modified
27 February 2025
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0041 62.0th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27097 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in The-Guild Graphql Mesh. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-27097 is a vulnerability in GraphQL Mesh, an open-source GraphQL Federation framework and gateway that supports GraphQL Federation and non-GraphQL subgraphs, including REST, gRPC services, and databases like MongoDB, MySQL, and PostgreSQL. The issue arises when users apply transforms at the root level or to a single source, causing the cache to retain initial variables for subsequent identical queries with different variables until the DocumentNode is evicted by the LRU mechanism. This results in later requests reusing the initial variables—such as authentication tokens—regardless of new values provided, alongside a bounded memory leak that grows per unique operation rather than per request. The vulnerability is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-401 (Memory Leak).

Any unauthenticated remote attacker with network access can exploit this vulnerability by sending repeated queries with varying variables, such as different authentication tokens, against an affected GraphQL Mesh instance configured with the specified transforms. This forces the cache to apply the initial variables across requests, potentially leading to incorrect token handling and a denial-of-service condition through gradual memory consumption, as the leak accumulates based on distinct operations until LRU eviction occurs.

The official security advisory, published on GitHub at https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-rr4x-crhf-8886, provides details on mitigation steps for this vulnerability. Security practitioners should consult this advisory for patching instructions, workarounds, and affected versions of GraphQL Mesh.

EU & UK References

Vulnerability details

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. When a user transforms on the root…

more

level or single source with transforms, and the client sends the same query with different variables, the initial variables are used in all following requests until the cache evicts DocumentNode. If a token is sent via variables, the following requests will act like the same token is sent even if the following requests have different tokens. This can cause a short memory leak but it won't grow per each request but per different operation until the cache evicts DocumentNode by LRU mechanism.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

Remote unauthenticated exploitation of public-facing GraphQL service enables T1190; memory leak via repeated queries with varying variables directly facilitates T1499 endpoint DoS through resource exhaustion.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27098Same vendor: The-Guild
CVE-2026-1605Shared CWE-400, CWE-401
CVE-2026-8856Shared CWE-400
CVE-2026-24215Shared CWE-400
CVE-2025-24247Shared CWE-400
CVE-2026-8968Shared CWE-400
CVE-2025-24260Shared CWE-400
CVE-2025-43193Shared CWE-400
CVE-2026-42001Shared CWE-400
CVE-2026-39304Shared CWE-400

Affected Assets

the-guild
graphql mesh
0.96.5, 0.96.6, 0.96.7, 0.96.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by identifying, reporting, and applying patches or updates to fix the GraphQL Mesh cache flaw causing variable retention and memory leak.

prevent

Protects against denial-of-service from repeated GraphQL queries with varying variables that trigger the bounded memory leak in the DocumentNode cache.

prevent

Ensures availability of memory resources against gradual depletion due to per-unique-operation accumulation until LRU eviction.

References