CVE-2026-23897
📋 TL;DR
Apollo Server's startStandaloneServer function is vulnerable to denial-of-service attacks when attackers send GraphQL requests with specially crafted character set encodings. This affects users running Apollo Server directly with startStandaloneServer in vulnerable versions, but not those using integration packages like Express or Next.js.
💻 Affected Systems
- Apollo Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion from crafted requests, potentially causing extended downtime.
Likely Case
Service degradation or temporary unavailability requiring restart of affected Apollo Server instances.
If Mitigated
Minimal impact with proper request validation and rate limiting in place.
🎯 Exploit Status
Exploitation requires sending specially crafted request bodies with exotic character set encodings to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.13.1, 4.13.0, 5.4.0
Vendor Advisory: https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7
Restart Required: Yes
Instructions:
1. Update Apollo Server to version 3.13.1, 4.13.0, or 5.4.0 or later. 2. Update package.json dependencies. 3. Run npm install or yarn install. 4. Restart the Apollo Server application.
🔧 Temporary Workarounds
Switch to Integration Package
allMigrate from startStandaloneServer to using Apollo Server with an integration package like Express or Next.js.
Request Validation Middleware
allImplement middleware to reject requests with non-standard character set encodings.
🧯 If You Can't Patch
- Implement strict rate limiting and request size limits on GraphQL endpoints
- Deploy web application firewall (WAF) rules to block requests with exotic character set encodings
🔍 How to Verify
Check if Vulnerable:
Check package.json for Apollo Server version and verify if using startStandaloneServer directly.Check Version:
npm list @apollo/server or check package.json version fieldVerify Fix Applied:
Confirm Apollo Server version is 3.13.1+, 4.13.0+, or 5.4.0+ and verify no DoS occurs with test requests.📡 Detection & Monitoring
Log Indicators:
- Unusual request patterns with exotic character sets
- High CPU/memory usage spikes
- GraphQL endpoint timeouts
Network Indicators:
- Multiple requests with Content-Type headers specifying exotic character sets
- Abnormal request body sizes
SIEM Query:
source="apollo-server" AND (message="timeout" OR message="memory" OR message="CPU")