CVE-2024-40094: 
Java vulnerability analysis and mitigation

GraphQL Java (aka graphql-java) before version 21.5 contains a vulnerability that does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. The vulnerability is tracked as CVE-2024-40094. Fixed versions include 21.5, 20.9, and 19.11 (NVD, GitHub Discussion).

The vulnerability relates to the handling of ExecutableNormalizedFields (ENFs) in introspection queries. The issue was addressed by implementing limits on the number of ENFs created and adding depth restrictions for introspection queries. The fix includes setting a maximum field count of 500 and a maximum depth count of 20 for good faith introspection queries. The CVSS v3.1 base score is 5.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (Red Hat CVE).

The vulnerability could allow an attacker to perform a denial of service (DoS) attack through introspection queries by creating an excessive number of ExecutableNormalizedFields, potentially exhausting system resources (Red Hat Advisory).

Users should upgrade to one of the following fixed versions: GraphQL Java 21.5, 20.9, or 19.11. The fix implements restrictions on the number of ENFs created and adds depth limitations for introspection queries (GitHub Discussion).