Description
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.
Published: 2026-02-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (DoS) via specially crafted request bodies
Action: Patch or Upgrade
AI Analysis

Impact

Apollo Server, a popular GraphQL server, suffers from a denial‑of‑service vulnerability when the default startStandaloneServer configuration is used. Attackers can craft request bodies employing exotic character‑set encodings to exhaust server resources. The weakness is identified as CWE‑1333, reflecting unvalidated, bizarre input that triggers abnormal processing.

Affected Systems

The vulnerability affects Apollo Server packages from multiple major releases: versions 2.0.0 through 3.13.0, 4.2.0 through 4.12.x, and 5.0.0 through 5.3.x. Direct usage of startStandaloneServer in these ranges is impacted; integration of Apollo Server via wrappers such as @as‑integrations/express5 or @as‑integrations/next is not affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity with moderate complexity for exploit. The EPSS score of less than 1% suggests that the likelihood of publicly available exploitation is currently low, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, an attacker who can send crafted request bodies to a publicly exposed GraphQL endpoint running an affected version can cause resource exhaustion, leading to service downtime. The attack vector is inferred to be remote and network‑based, requiring no local privileges.

Generated by OpenCVE AI on April 17, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apollo Server to a version outside the affected ranges—3.13.1 or later, 4.13.0 or later, or 5.4.0 or later, where the vulnerability has been patched.
  • If an upgrade is not feasible, avoid using startStandaloneServer; instead, integrate Apollo Server via the available framework adapters (for example, @as‑integrations/express5 or @as‑integrations/next).
  • Implement request‑payload validation or filtering in your application layer to reject exotic character‑encoding payloads when the startStandaloneServer API must remain in use.

Generated by OpenCVE AI on April 17, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mp6q-xf9x-fwf7 Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`
History

Wed, 18 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Apollographql apollo Server
CPEs cpe:2.3:a:apollographql:apollo_server:*:*:*:*:*:*:*:*
Vendors & Products Apollographql apollo Server

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apollographql
Apollographql apollo Explorer
Vendors & Products Apollographql
Apollographql apollo Explorer

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.
Title Apollo Server is vulnerable to denial of service with `startStandaloneServer`
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Apollographql Apollo Explorer Apollo Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T19:55:22.294Z

Reserved: 2026-01-16T21:02:02.903Z

Link: CVE-2026-23897

cve-icon Vulnrichment

Updated: 2026-02-04T19:55:15.426Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T20:16:05.130

Modified: 2026-03-18T13:06:52.940

Link: CVE-2026-23897

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses