CVE-2026-23897

Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643	Patch
https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4	Patch
https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apollographql:apollo_server::::::::
	cpe:2.3:a:apollographql:apollo_server::::::::
	cpe:2.3:a:apollographql:apollo_server::::::::

History

18 Mar 2026, 13:06

Type	Values Removed	Values Added
References	~~() https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643 -~~	() https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643 - Patch
References	~~() https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4 -~~	() https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4 - Patch
References	~~() https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7 -~~	() https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7 - Mitigation, Vendor Advisory
Summary		(es) Apollo Server es un servidor GraphQL de código abierto, compatible con especificaciones, que es compatible con cualquier cliente GraphQL, incluyendo Apollo Client. En las versiones de 2.0.0 a 3.13.0, de 4.2.0 a antes de 4.13.0, y de 5.0.0 a antes de 5.4.0, la configuración predeterminada de startStandaloneServer de @apollo/server/standalone es vulnerable a ataques de denegación de servicio (DoS) a través de cuerpos de solicitud especialmente diseñados con codificaciones de conjuntos de caracteres exóticas. Este problema no afecta a los usuarios que usan @apollo/server como dependencia para paquetes de integración, como @as-integrations/express5 o @as-integrations/next, solo el uso directo de startStandaloneServer.
First Time		Apollographql Apollographql apollo Server
CPE		cpe:2.3:a:apollographql:apollo_server::::::::

04 Feb 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-04 20:16

Updated : 2026-03-18 13:06

NVD link : CVE-2026-23897

Mitre link : CVE-2026-23897

CVE.ORG link : CVE-2026-23897

JSON object : View

Products Affected

apollographql

apollo_server

CWE

CWE-1333

Inefficient Regular Expression Complexity

7.5 /10