{"id":"CVE-2024-40094","details":"GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.","aliases":["GHSA-h9mq-f6q5-6c8m"],"modified":"2026-05-18T05:57:52.528194488Z","published":"2024-07-30T00:00:00Z","related":["CGA-wc6c-w59g-7f77"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40094.json","cna_assigner":"mitre"},"references":[{"type":"WEB","url":"https://github.com/graphql-java/graphql-java/discussions/3641"},{"type":"WEB","url":"https://github.com/graphql-java/graphql-java/releases/tag/v19.11"},{"type":"WEB","url":"https://github.com/graphql-java/graphql-java/releases/tag/v20.9"},{"type":"WEB","url":"https://github.com/graphql-java/graphql-java/releases/tag/v21.5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40094.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40094"},{"type":"FIX","url":"https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a"},{"type":"FIX","url":"https://github.com/graphql-java/graphql-java/pull/3539"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graphql-java/graphql-java","events":[{"introduced":"0"},{"fixed":"25667a13e528a2b2c4fa372b363ffbb00184316a"}]}],"versions":["v21.4","v21.1","v21.0","v20.2","v20.1","v20.0","v19.1","v19.0","v17.3","v18.1","v18.0","v17.2","v17.0","v17.0.0-beta1","v17.0-beta1","v16.2","v16.1","v16.0","v15.0","v9.7","v14.0","v13.0","v12.0","12.0","v11.0","v10.0","v9.1","v9.0","v8.0","v7.0","v6.0","v5.0","v4.0","v3.0.0","v2.4.0","v2.3.0","v2.2.0","v2.1.0","v2.0.0","v1.3","v1.2","v1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40094.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}