CVE-2025-27097

CVE-2025-27097 is a vulnerability in GraphQL Mesh, an open-source GraphQL Federation framework and gateway that supports GraphQL Federation and non-GraphQL subgraphs, including REST, gRPC services, and databases like MongoDB, MySQL, and PostgreSQL. The issue arises when users apply transforms at the root level or to a single source, causing the cache to retain initial variables for subsequent identical queries with different variables until the DocumentNode is evicted by the LRU mechanism. This results in later requests reusing the initial variables—such as authentication tokens—regardless of new values provided, alongside a bounded memory leak that grows per unique operation rather than per request. The vulnerability is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-401 (Memory Leak).

Any unauthenticated remote attacker with network access can exploit this vulnerability by sending repeated queries with varying variables, such as different authentication tokens, against an affected GraphQL Mesh instance configured with the specified transforms. This forces the cache to apply the initial variables across requests, potentially leading to incorrect token handling and a denial-of-service condition through gradual memory consumption, as the leak accumulates based on distinct operations until LRU eviction occurs.

The official security advisory, published on GitHub at https://github.com/ardatan/graphql-mesh/security/advisories/GHSA-rr4x-crhf-8886, provides details on mitigation steps for this vulnerability. Security practitioners should consult this advisory for patching instructions, workarounds, and affected versions of GraphQL Mesh.