GraphQL Mesh DocumentNode Caching Vulnerability Leading to Token Mismanagement
Vulnerability
A vulnerability exists in GraphQL Mesh versions 0.96.5 through 0.96.8, specifically within the @graphql-mesh/runtime package. This issue arises when transforms are applied at the root level or on a single source, and the client submits the same query with varying variables. In such cases, the initial set of variables is retained and used in subsequent requests until the cache evicts the DocumentNode. If a token is transmitted through the variables, subsequent requests will behave as if the same token is still being sent, regardless of any changes. This vulnerability can lead to a temporary memory leak, accumulating per operation until the cache clears the DocumentNode using a least-recently-used eviction strategy.
Impact
Exploitation of this vulnerability can cause a memory leak, with cached data persisting longer than intended, potentially leading to outdated or incorrect information being used in operations. The primary concern is the mismanagement of tokens sent through variables, which can result in unintended authorization or authentication behaviors.
Remediation
Users can upgrade to GraphQL Mesh version 0.96.9 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.