CVE-2025-27097 — HIGH (7.5)

Vulnerability Description

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. When a user transforms on the root level or single source with transforms, and the client sends the same query with different variables, the initial variables are used in all following requests until the cache evicts DocumentNode. If a token is sent via variables, the following requests will act like the same token is sent even if the following requests have different tokens. This can cause a short memory leak but it won't grow per each request but per different operation until the cache evicts DocumentNode by LRU mechanism.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
The-Guild	Graphql Mesh	0.96.5

Related Weaknesses (CWE)

CWE-401 CWE-400

References

https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-rr4x-crhf-8886Vendor Advisory

FAQ

What is CVE-2025-27097?

CVE-2025-27097 is a vulnerability with a CVSS score of 7.5 (HIGH). GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as Mon...

How severe is CVE-2025-27097?

CVE-2025-27097 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-27097?

Check the references section above for vendor advisories and patch information. Affected products include: The-Guild Graphql Mesh.