Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in resource exhaustion. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
AnalysisAI
GraphQL query complexity abuse in Saleor e-commerce platform enables unauthenticated denial-of-service through alias-based or chained mutation requests. Attackers craft single API calls containing excessive GraphQL operations (mutations/queries) via aliasing or chaining, exhausting server resources and disrupting service availability. Affects Saleor versions 2.0.0 through 3.22.x, with no authentication required for exploitation. Low observed exploitation activity (EPSS <1%). No public exploit identified at time of analysis.
Technical ContextAI
CWE-770 resource allocation flaw permits unbounded GraphQL operation batching within single HTTP requests. Absence of query complexity analysis or depth/batch limits allows attackers to bypass rate-limiting through GraphQL alias syntax (e.g., alias1:mutation, alias2:mutation) or sequential mutation chaining. Saleor's GraphQL API processes all operations synchronously without resource throttling, enabling computational exhaustion attacks against web and application tiers.
RemediationAI
Vendor-released patches: upgrade to Saleor 3.23.0a3 (or stable release when available), 3.22.47, 3.21.54, or 3.20.118 depending on deployment branch. These versions implement GraphQL query complexity limits and mutation batching restrictions to prevent resource exhaustion. For environments unable to upgrade immediately, implement application-layer GraphQL query depth limiting (maximum 10-15 levels), alias count restrictions (<20 per request), and mutation batch size caps (<10 operations) via reverse proxy or WAF rules. Advisory: https://github.com/saleor/saleor/security/advisories/GHSA-gqqv-xwx3-jj4h. Monitor API gateway logs for abnormal GraphQL payload sizes or repetitive field patterns indicating exploitation attempts.
Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2. Rated medium severity (CVSS 6.5), this vulnerab
Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. Rated medium severity (CVSS 5.3),
In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers
Denial of service affects Saleor e-commerce platform versions 2.0.0 through 3.22.x via unlimited GraphQL query batching.
Unauthenticated attackers can exploit an insecure direct object reference vulnerability in Saleor e-commerce platform ve
In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the
Saleor e-commerce platform (versions 2.10.0 through 3.23.0a2) contains an authentication bypass vulnerability in the acc
Authenticated staff users in Saleor e-commerce platform versions 3.0.0 through 3.22.26 can upload malicious HTML and SVG
Saleor is an e-commerce platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authe
Saleor is an e-commerce platform that serves high-volume companies. Rated medium severity (CVSS 5.4), this vulnerability
Saleor Core is a composable, headless commerce API. Rated medium severity (CVSS 5.4), this vulnerability is remotely exp
Saleor e-commerce platform versions 2.10.0 through 3.23.0a2 leak user email addresses via error messages in the requestE
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20532