CVE-2025-27097: 
JavaScript vulnerability analysis and mitigation

GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. The vulnerability (CVE-2025-27097) was discovered in February 2025 and affects the caching mechanism when using transforms on the root level or single source. When a client sends the same query with different variables, the initial variables are used in all following requests until the cache evicts DocumentNode (NVD, GitHub Advisory).

The vulnerability occurs in the caching mechanism of GraphQL Mesh when transforms are implemented on the root level or single source. When a client sends identical queries with different variables, the system continues to use the initial variables for all subsequent requests until the DocumentNode is evicted from the cache. This behavior is particularly concerning when tokens are sent via variables, as subsequent requests will use the same token even when different tokens are provided. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and CVSS v4.0 score of 5.1 MEDIUM (NVD).

The primary impact of this vulnerability is a memory leak condition. While the leak is limited in scope, it doesn't grow with each request but rather per different operation until the cache evicts DocumentNode through the LRU (Least Recently Used) mechanism. This can lead to potential security implications when tokens are involved, as the system may continue using outdated authentication tokens (GitHub Advisory).

The vulnerability has been patched in version 0.96.9 of @graphql-mesh/runtime. Users are strongly advised to upgrade to this version or later to address the security issue (GitHub Advisory).