CVE-2026-23897
HIGH
GHSA-mp6q-xf9x-fwf7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.
Analysis
Apollo Server's standalone mode (versions 2.0.0-3.13.0, 4.2.0-4.12.x, and 5.0.0-5.3.x) is vulnerable to denial of service attacks when processing GraphQL requests with non-standard character set encodings, allowing unauthenticated remote attackers to crash the service. This vulnerability only affects direct usage of startStandaloneServer and does not impact applications using Apollo Server through integration packages. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Apollo Server instances and versions in production and development environments; enable monitoring for abnormal request patterns. Within 7 days: Implement network-level request filtering and rate limiting; configure WAF rules to block malicious GraphQL payloads; restrict standalone server exposure to trusted networks only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today