CVE-2024-47614 HIGH

CVE-2024-47614: async-graphql vulnerable to Directive Overload

Vendor Async-Graphql
Product async-graphql
Weakness CWE-770 · Uncontrolled resource consumption
Published October 3, 2024
Last update October 3, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

async-graphql is a GraphQL server library implemented in Rust. async-graphql before 7.0.10 does not limit the number of directives for a field. This can lead to Service Disruption, Resource Exhaustion, and User Experience Degradation. This vulnerability is fixed in 7.0.10.

Key dates

02Disclosure timeline

October 3, 2024 CVE published
October 3, 2024 Record updated