Skip to main content

Apollo Server CVE-2026-23897

HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-02-04 security-advisories@github.com GHSA-mp6q-xf9x-fwf7
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 04, 2026 - 20:16 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @apollo/server (1 direct, 0 indirect)
  • 2 npm packages depend on apollo-server (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.2.0 and other introduced versions.

DescriptionGitHub Advisory

Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.

AnalysisAI

Apollo Server's standalone mode (versions 2.0.0-3.13.0, 4.2.0-4.12.x, and 5.0.0-5.3.x) is vulnerable to denial of service attacks when processing GraphQL requests with non-standard character set encodings, allowing unauthenticated remote attackers to crash the service. This vulnerability only affects direct usage of startStandaloneServer and does not impact applications using Apollo Server through integration packages. No patch is currently available.

Technical ContextAI

This vulnerability (CWE-1333: Inefficient Regular Expression Complexity (ReDoS)) affects to. Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency fo

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Share

CVE-2026-23897 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy