CVE-2025-31496

Name of the Vulnerable Software and Affected Versions apollo-compiler versions prior to 1.27.0

Description The issue concerns a query-based compiler for the GraphQL query language. Prior to version 1.27.0, a vulnerability allowed queries with deeply nested and reused named fragments to be prohibitively expensive to validate. This occurred because named fragments were being processed once per fragment spread in some cases during query validation, leading to exponential resource usage when deeply nested and reused fragments were involved. This could lead to excessive resource consumption and denial of service in applications.

Recommendations For versions prior to 1.27.0, update to version 1.27.0 to resolve the issue. As a temporary workaround, consider restricting the use of deeply nested and reused named fragments in queries to minimize the risk of excessive resource consumption.