CVE-2025-27097
Published: 20 February 2025
Summary
CVE-2025-27097 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in The-Guild Graphql Mesh. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-27097 is a vulnerability in GraphQL Mesh, an open-source GraphQL Federation framework and gateway that supports GraphQL Federation and non-GraphQL subgraphs, including REST, gRPC services, and databases like MongoDB, MySQL, and PostgreSQL. The issue arises when users apply transforms at the root level or to a single source, causing the cache to retain initial variables for subsequent identical queries with different variables until the DocumentNode is evicted by the LRU mechanism. This results in later requests reusing the initial variables—such as authentication tokens—regardless of new values provided, alongside a bounded memory leak that grows per unique operation rather than per request. The vulnerability is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-401 (Memory Leak).
Any unauthenticated remote attacker with network access can exploit this vulnerability by sending repeated queries with varying variables, such as different authentication tokens, against an affected GraphQL Mesh instance configured with the specified transforms. This forces the cache to apply the initial variables across requests, potentially leading to incorrect token handling and a denial-of-service condition through gradual memory consumption, as the leak accumulates based on distinct operations until LRU eviction occurs.
The official security advisory, published on GitHub at https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-rr4x-crhf-8886, provides details on mitigation steps for this vulnerability. Security practitioners should consult this advisory for patching instructions, workarounds, and affected versions of GraphQL Mesh.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2806
Vulnerability details
GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. When a user transforms on the root…
more
level or single source with transforms, and the client sends the same query with different variables, the initial variables are used in all following requests until the cache evicts DocumentNode. If a token is sent via variables, the following requests will act like the same token is sent even if the following requests have different tokens. This can cause a short memory leak but it won't grow per each request but per different operation until the cache evicts DocumentNode by LRU mechanism.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing GraphQL service enables T1190; memory leak via repeated queries with varying variables directly facilitates T1499 endpoint DoS through resource exhaustion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the vulnerability by identifying, reporting, and applying patches or updates to fix the GraphQL Mesh cache flaw causing variable retention and memory leak.
Protects against denial-of-service from repeated GraphQL queries with varying variables that trigger the bounded memory leak in the DocumentNode cache.
Ensures availability of memory resources against gradual depletion due to per-unique-operation accumulation until LRU eviction.