{"id":"GO-2024-2920","summary":"Denial of service vulnerability via the parseDirectives function in github.com/vektah/gqlparser","details":"An issue in vektah gqlparser open-source-library allows a remote attacker to cause a denial of service via a crafted script to the parseDirectives function.","aliases":["CVE-2023-49559","GHSA-2hmf-46v7-v6fx"],"modified":"2026-02-04T02:19:19.852945Z","published":"2024-07-01T19:59:12Z","related":["CGA-8p69-4x8m-hf9q"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-2920","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-2hmf-46v7-v6fx"},{"type":"FIX","url":"https://github.com/vektah/gqlparser/commit/36a3658873bf5a107f42488dfc392949cdd02977"},{"type":"WEB","url":"https://gist.github.com/uvzz/d3ed9d4532be16ec1040a2cf3dfec8d1"},{"type":"WEB","url":"https://github.com/99designs/gqlgen/issues/3118"},{"type":"WEB","url":"https://github.com/vektah/gqlparser/blob/master/parser/query.go#L316"}],"affected":[{"package":{"name":"github.com/vektah/gqlparser","ecosystem":"Go","purl":"pkg:golang/github.com/vektah/gqlparser"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"ecosystem_specific":{"imports":[{"symbols":["ParseQuery","ParseSchema","ParseSchemas","parser.parseDirectives"],"path":"github.com/vektah/gqlparser/parser"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2920.json"}},{"package":{"name":"github.com/vektah/gqlparser/v2","ecosystem":"Go","purl":"pkg:golang/github.com/vektah/gqlparser/v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.5.14"}]}],"ecosystem_specific":{"imports":[{"symbols":["ParseQuery","ParseSchema","ParseSchemas","parser.parseDirectives"],"path":"github.com/vektah/gqlparser/v2/parser"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2920.json"}}],"schema_version":"1.7.3"}