Vulnerability	Vulnerable Version
M Information Exposure Through Caching Affected versions of this package are vulnerable to Information Exposure Through Caching due to improper caching of `GraphQL` operations when root-level transforms are applied. An attacker can send the same query with different variables but the initial set of variables will be used for all subsequent requests until the cache evicts the `DocumentNode`. Note: This issue is treated separately from this issue as it occurs only when an OpenAPI handler is added to the schema. Until further confirmation, it is considered a distinct bypass. How to fix Information Exposure Through Caching? Upgrade `@graphql-mesh/runtime` to version 0.96.9 or higher.	>=0.96.5 <0.96.9
H Uncontrolled Resource Consumption ('Resource Exhaustion') Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') when the `cache variables` function is used in conjunction with `operations` and `transforms` at the root level. An attacker can manipulate the system to use initial variables in all subsequent requests, even if the variables change, by sending the same query with different variables. This can result in a short-term memory leak, as the system will continue to use the initial variables until the cache evicts the DocumentNode through the LRU mechanism. How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')? Upgrade `@graphql-mesh/runtime` to version 0.96.9 or higher.	>=0.96.5 <0.96.9

Information Exposure Through Caching

Affected versions of this package are vulnerable to Information Exposure Through Caching due to improper caching of GraphQL operations when root-level transforms are applied. An attacker can send the same query with different variables but the initial set of variables will be used for all subsequent requests until the cache evicts the DocumentNode.

Note: This issue is treated separately from this issue as it occurs only when an OpenAPI handler is added to the schema. Until further confirmation, it is considered a distinct bypass.

How to fix Information Exposure Through Caching?

Upgrade @graphql-mesh/runtime to version 0.96.9 or higher.

>=0.96.5 <0.96.9

Uncontrolled Resource Consumption ('Resource Exhaustion')

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') when the cache variables function is used in conjunction with operations and transforms at the root level. An attacker can manipulate the system to use initial variables in all subsequent requests, even if the variables change, by sending the same query with different variables. This can result in a short-term memory leak, as the system will continue to use the initial variables until the cache evicts the DocumentNode through the LRU mechanism.

How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')?

Upgrade @graphql-mesh/runtime to version 0.96.9 or higher.

>=0.96.5 <0.96.9

Go back to all versions of this package