GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| com.graphql-java:graphql-java(Maven) | 0 | 19.11 | N/A |
| com.graphql-java:graphql-java(Maven) | 20.0 | 20.9 | N/A |
| com.graphql-java:graphql-java(Maven) | 21.0 | 21.5 | N/A |
CVSS Metrics
