Jack Rowland

**Name of the Vulnerable Software and Affected Versions** Spring for GraphQL versions 1.1.0 through 1.1.5 Spring for GraphQL versions 1.2.0 through 1.2.2 **Description** A batch loader function in Spring for GraphQL may be exposed to GraphQL context with values, including security context values, from a different session. This issue arises when an application provides a `DataLoaderOptions` instance while registering batch loader functions through `DefaultBatchLoaderRegistry`. **Recommendations** For Spring for GraphQL versions 1.1.0 through 1.1.5, avoid providing a `DataLoaderOptions` instance when registering batch loader functions through `DefaultBatchLoaderRegistry` to prevent exposure to GraphQL context from different sessions. For Spring for GraphQL versions 1.2.0 through 1.2.2, avoid providing a `DataLoaderOptions` instance when registering batch loader functions through `DefaultBatchLoaderRegistry` to prevent exposure to GraphQL context from different sessions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.