By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-40094

Improper Input Validation (4.16)
Affects
GraphQL Java
in
GraphQL Java
No items found.
Versions
<19.11, >=20.0 <20.9, >=21.0 <21.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

GraphQL Java (graphql-java) is a widely used open-source Java implementation of the GraphQL specification, enabling applications to expose and execute GraphQL queries on a Java platform. As part of its functionality, GraphQL Java analyzes and executes introspection queries that allow clients to discover schema structure and types.

A security vulnerability (CVE-2024-40094) has been identified in GraphQL Java. The issue arises from the library’s failure to properly take into account ExecutableNormalizedFields (ENFs) when processing introspection queries. Attackers capable of submitting crafted introspection requests to a vulnerable GraphQL endpoint can trigger excessive computational work, which may exhaust CPU or memory resources and degrade or halt the service. Systems exposing GraphQL introspection endpoints without protective controls are at elevated risk and should upgrade to patched GraphQL Java releases.

Per OWASP: Improper Input Validation occurs when the product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

This issue affects multiple versions of GraphQL Java graphql-java.

Details

Module Info

Vulnerability Info

This denial-of-service (DoS) vulnerability is found in the graphql-java library’s query execution logic that handles introspection requests. GraphQL Java is intended to safely evaluate valid introspection queries; however, the library does not properly consider ExecutableNormalizedFields when determining how to defend against resource-intensive query constructions. An attacker with network access to a GraphQL endpoint can send specially crafted introspection queries designed to engage deep or complex ENF structures, causing the server to consume excessive CPU cycles and memory.

Because the introspection capability is often publicly accessible in GraphQL services, this vulnerability can be triggered remotely without authentication. The underlying weakness reflects improper input processing and insufficient control of resource allocation in query execution.

Steps To Reproduce

  1. Deploy or build a Java application that uses affected versions of graphql-java
  2. Expose a GraphQL endpoint that allows introspection queries without stringent request size or complexity controls.
  3. Craft one or more introspection queries that include deeply nested or complex fields taking advantage of the ENF processing gap.
  4. Send the crafted queries repeatedly or in rapid succession to the GraphQL endpoint. In affected versions, the server will attempt to process these introspection queries without appropriate limits, leading to increased CPU/memory usage and eventual denial of service.

Proof Of Concept

In a vulnerable environment, a remote attacker can generate introspection queries that recursively explore or expand executable fields with complex structures. When these queries are submitted to an endpoint running an affected version of GraphQL Java, the lack of ENF consideration causes the execution engine to expand and compute on many fields without throttling or limiting resource consumption. As a result, the application’s process will rapidly consume CPU and/or memory, ultimately making the GraphQL service unresponsive or causing it to crash. This demonstrates how improper handling of introspection inputs can be exploited to degrade availability in affected applications.  

Mitigation

Only recent versions of GraphQL Java are community-supported. Only the recent community supported versions will receive updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of GraphQL Java..
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

  • Donna Zhou

Pink arrow
Pink arrow
CVE-2024-40094
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-40094
PROJECT Affected
GraphQL Java
Versions Affected
<19.11, >=20.0 <20.9, >=21.0 <21.5
NES Versions Affected
Published date
January 5, 2026
≈ Fix date
May 22, 2024
Fixed in
NES for GraphQL Java
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Improper Input Validation (4.16)
Sign up for the latest vulnerability alerts fixed in
NES for GraphQL Java
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.