CVE-2025-27097 in graphql-mesh
Summary
by MITRE • 02/20/2025
GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. When a user transforms on the root level or single source with transforms, and the client sends the same query with different variables, the initial variables are used in all following requests until the cache evicts DocumentNode. If a token is sent via variables, the following requests will act like the same token is sent even if the following requests have different tokens. This can cause a short memory leak but it won't grow per each request but per different operation until the cache evicts DocumentNode by LRU mechanism.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/20/2025
The vulnerability identified in CVE-2025-27097 affects GraphQL Mesh, a GraphQL Federation framework and gateway that serves as an intermediary for various data sources including GraphQL, REST, gRPC, and databases. This security issue stems from improper handling of query variable caching within the framework's document node management system. The flaw manifests when users apply transformations at the root level or single source with transforms, creating a scenario where variable values from the initial request persist across subsequent requests until the cache eviction mechanism removes the DocumentNode entry. This behavior fundamentally violates the expected isolation properties of individual requests and creates a persistent state contamination issue.
The technical implementation of this vulnerability involves the framework's caching mechanism for DocumentNode objects, which store parsed GraphQL operations along with their associated variable values. When a client submits a query with specific variables including authentication tokens, those variable values become embedded within the cached DocumentNode structure. Subsequent requests using the same operation but different variables will inadvertently reuse the cached variable values, leading to unauthorized access patterns. This occurs because the framework does not properly differentiate between variable values for different requests when the underlying operation structure remains identical. The vulnerability specifically impacts the LRU (Least Recently Used) cache eviction mechanism, where the cached DocumentNode entries retain their initial variable values until they are automatically removed from memory.
The operational impact of this vulnerability extends beyond simple authentication token leakage to encompass broader authorization and data access control concerns. While the memory leak is described as "short" and does not grow with each request, the persistence of variable values creates a window of opportunity for attackers to exploit the system. The vulnerability essentially allows for a form of request replay or variable injection where a malicious actor could potentially leverage cached variable values to access resources they should not be authorized to reach. This creates a significant risk for applications relying on GraphQL Mesh for federated data access, particularly those handling sensitive information or implementing fine-grained access controls. The issue is particularly concerning in multi-tenant environments where different users share the same operation structures but require distinct authorization contexts.
From a cybersecurity perspective, this vulnerability aligns with CWE-200 (Information Exposure) and CWE-284 (Improper Access Control) categories, as it exposes sensitive authentication information and allows for unauthorized access patterns. The ATT&CK framework would categorize this under T1566 (Phishing) and T1078 (Valid Accounts) as attackers could potentially leverage cached tokens to maintain access to systems. The vulnerability also demonstrates characteristics of T1213 (Data from Information Repositories) where unauthorized access to data repositories occurs through manipulation of cached variable values. Organizations implementing GraphQL Mesh should consider immediate mitigation strategies including implementing more granular cache invalidation policies, ensuring variable values are properly scoped to individual requests, and monitoring for unusual access patterns that might indicate exploitation of this vulnerability. Additionally, the framework should be updated to ensure that variable values are not persisted across different requests for the same operation structure, maintaining proper request isolation and preventing the leakage of sensitive information through the caching mechanism.