{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-15T13:09:12.117","vulnerabilities":[{"cve":{"id":"CVE-2025-27097","sourceIdentifier":"security-advisories@github.com","published":"2025-02-20T21:15:26.227","lastModified":"2025-02-27T20:27:24.720","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. When a user transforms on the root level or single source with transforms, and the client sends the same query with different variables, the initial variables are used in all following requests until the cache evicts DocumentNode. If a token is sent via variables, the following requests will act like the same token is sent even if the following requests have different tokens. This can cause a short memory leak but it won't grow per each request but per different operation until the cache evicts DocumentNode by LRU mechanism."},{"lang":"es","value":"GraphQL Mesh es un framework de trabajo y una puerta de enlace de GraphQL Federation para GraphQL Federation y subgrafos que no son de GraphQL Federation, servicios que no son de GraphQL, como REST y gRPC, y también bases de datos como MongoDB, MySQL y PostgreSQL. Cuando un usuario realiza una transformación en el nivel superusuario o en una única fuente con transformaciones, y el cliente envía la misma consulta con diferentes variables, las variables iniciales se utilizan en todas las solicitudes siguientes hasta que la memoria caché expulsa a DocumentNode. Si se envía un token a través de variables, las solicitudes siguientes actuarán como si se enviara el mismo token, incluso si las solicitudes siguientes tienen tokens diferentes. Esto puede provocar una breve pérdida de memoria, pero no aumentará con cada solicitud, sino con cada operación diferente hasta que la memoria caché expulse a DocumentNode mediante el mecanismo LRU."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:P\/VC:N\/VI:L\/VA:L\/SC:N\/SI:N\/SA:N\/E:X\/CR:X\/IR:X\/AR:X\/MAV:X\/MAC:X\/MAT:X\/MPR:X\/MUI:X\/MVC:X\/MVI:X\/MVA:X\/MSC:X\/MSI:X\/MSA:X\/S:X\/AU:X\/R:X\/V:X\/RE:X\/U:X","baseScore":5.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-400"}]},{"source":"nvd@nist.gov","type":"Secondary","description":[{"lang":"en","value":"CWE-401"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:the-guild:graphql_mesh:0.96.5:*:*:*:*:node.js:*:*","matchCriteriaId":"BE510785-F022-4152-8536-1322352F0698"},{"vulnerable":true,"criteria":"cpe:2.3:a:the-guild:graphql_mesh:0.96.6:*:*:*:*:node.js:*:*","matchCriteriaId":"2D484264-71CC-4CFC-8959-FC43C8E44D5D"},{"vulnerable":true,"criteria":"cpe:2.3:a:the-guild:graphql_mesh:0.96.7:*:*:*:*:node.js:*:*","matchCriteriaId":"42D32CD2-98C5-49CB-A66E-F9F72F560073"},{"vulnerable":true,"criteria":"cpe:2.3:a:the-guild:graphql_mesh:0.96.8:*:*:*:*:node.js:*:*","matchCriteriaId":"B077BCC7-800F-43F3-AB05-6F7B3C05F0AA"}]}]}],"references":[{"url":"https:\/\/github.com\/ardatan\/graphql-mesh\/security\/advisories\/GHSA-rr4x-crhf-8886","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}