Denial of Service Vulnerability in Apollo Server by Apollo GraphQL
CVE-2026-23897
7.5HIGH
What is CVE-2026-23897?
Apollo Server versions 2.0.0 through 3.13.0, 4.2.0 through before 4.13.0, and 5.0.0 through before 5.4.0 are susceptible to denial of service (DoS) attacks. This issue arises when the default configuration of the startStandaloneServer function from @apollo/server/standalone is utilized with specially crafted request bodies that exploit unusual character set encodings. Notably, this vulnerability does not impact those using @apollo/server as a dependency for integration packages, such as @as-integrations/express5 or @as-integrations/next.
Affected Version(s)
apollo-server >= 2.0.0, <= 3.13.0 <= 2.0.0, 3.13.0
apollo-server >= 4.2.0, < 4.13.0 < 4.2.0, 4.13.0
apollo-server >= 5.0.0, < 5.4.0 < 5.0.0, 5.4.0