CVE-2026-23897

Name of the Vulnerable Software and Affected Versions Apollo Server versions 2.0.0 through 3.13.0 Apollo Server versions 4.2.0 through 4.13.0 Apollo Server versions 5.0.0 through 5.4.0

Description Apollo Server, a GraphQL server, is susceptible to denial of service (DoS) attacks. This occurs due to the default configuration of the startStandaloneServer function from the @apollo/server/standalone package. Specifically, specially crafted request bodies containing unusual character set encodings can trigger the issue. The issue only affects users directly utilizing startStandaloneServer and does not impact those integrating Apollo Server through packages like @as-integrations/express5 or @as-integrations/next.

Recommendations Versions 2.0.0 through 3.13.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Versions 4.2.0 through 4.13.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Versions 5.0.0 through 5.4.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.