5.1

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-27097

GHSA ID

GHSA-rr4x-crhf-8886

EPSS Score

0.30277%

CWE

CWE-400

Published

10/10/2023

Updated

2/28/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27097

CVE-2025-27097: Cache variables with the operations when transforms exist on the root level even if variables change in the further requests with the same operation

When you have transforms on the root level or single source with transforms, and the client sends the same query with different variables, the initial variables are used in all following requests until the cache evicts DocumentNode.

Let's say if a token is sent via variables, the following requests will act like the same token is sent even if the following requests have different tokens.

This can cause a short memory leak but it won't grow per each request but per different operation until the cache evicts DocumentNode by LRU mechanism.

(GitHub Advisory)

5.1

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-27097

GHSA ID

GHSA-rr4x-crhf-8886

EPSS Score

0.30277%

CWE

CWE-400

Published

10/10/2023

Updated

2/28/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@graphql-mesh/runtime	npm	>= 0.96.5, < 0.96.9	0.96.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper caching of execution requests. The commit diff shows a critical change in useSubschema.ts where the transformedRequestCache (which stored full requests with variables) was replaced with transformedDocumentNodeCache (which only caches DocumentNodes). The original implementation's WeakMap<DocumentNode, {transformedRequest: ExecutionRequest}> would retain initial variables across requests, while the patched version WeakMap<DocumentNode, DocumentNode> only preserves the query structure. This matches the vulnerability description where variables weren't properly refreshed between same-operation requests with transforms.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n you **v* tr*ns*orms on t** root l*v*l or sin*l* sour** wit* tr*ns*orms, *n* t** *li*nt s*n*s t** s*m* qu*ry wit* *i***r*nt v*ri**l*s, t** initi*l v*ri**l*s *r* us** in *ll *ollowin* r*qu*sts until t** ***** *vi*ts *o*um*ntNo**. L*t's s*y i* * t

Reasoning

T** vuln*r**ility st*ms *rom improp*r ****in* o* *x**ution r*qu*sts. T** *ommit *i** s*ows * *riti**l ***n** in `us*Su*s***m*.ts` w**r* t** `tr*ns*orm**R*qu*st*****` (w*i** stor** *ull r*qu*sts wit* v*ri**l*s) w*s r*pl**** wit* `tr*ns*orm***o*um*ntNo

5.1

Basic Information

Concerned about an active attack path?

CVE-2025-27097: Cache variables with the operations when transforms exist on the root level even if variables change in the further requests with the same operation

5.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI