Skip to content

Comments

Add CVSS 3.1 severity for GHSA-cgqf-3cq5-wvcj#6873

Merged
advisory-database[bot] merged 1 commit intogithub:sunnypatell/advisory-improvement-6873from
sunnypatell:cvss-GHSA-cgqf-3cq5-wvcj
Feb 17, 2026
Merged

Add CVSS 3.1 severity for GHSA-cgqf-3cq5-wvcj#6873
advisory-database[bot] merged 1 commit intogithub:sunnypatell/advisory-improvement-6873from
sunnypatell:cvss-GHSA-cgqf-3cq5-wvcj

Conversation

@sunnypatell
Copy link

@sunnypatell sunnypatell commented Feb 13, 2026

Changes

Added CVSS 3.1 scoring to GHSA-cgqf-3cq5-wvcj (Apollo Router compressed payload limit bypass).

  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 High)

CVSS justification

  • AV:N - exploitable over the network via GraphQL HTTP requests
  • AC:L/PR:N/UI:N - any unauthenticated client can send compressed payloads exceeding the configured HTTP limit
  • A:H - compressed payloads bypass size limits, allowing oversized requests that exhaust router memory and cause denial of service

References

Copilot AI review requested due to automatic review settings February 13, 2026 20:56
@github-actions github-actions bot changed the base branch from main to sunnypatell/advisory-improvement-6873 February 13, 2026 20:58
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds CVSS 3.1 severity scoring to the GitHub Security Advisory GHSA-cgqf-3cq5-wvcj for the Apollo Router compressed payload limit bypass vulnerability. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H assigns a score of 7.5 (High severity), reflecting a network-exploitable denial of service vulnerability that requires no authentication.

Changes:

  • Added CVSS 3.1 severity scoring to the security advisory
  • Populated the previously empty severity array with the appropriate vector string

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@shelbyc
Copy link
Contributor

shelbyc commented Feb 17, 2026

Hi @sunnypatell, in this case, I think adding a CVSS to GHSA-cgqf-3cq5-wvcj is appropriate and CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H is a reasonable choice because the high severity is close enough to the medium severity from the advisory. CVSS 4.0 changed how denial of service vulnerabilities are scored, but if someone comes to https://github.com/github/advisory-database with concerns about the CVSS 3.1 score for GHSA-cgqf-3cq5-wvcj, we can discuss CVSS 4.0 then.

@advisory-database advisory-database bot merged commit 4172030 into github:sunnypatell/advisory-improvement-6873 Feb 17, 2026
7 of 8 checks passed
@advisory-database
Copy link
Contributor

advisory-database bot commented Feb 17, 2026

Hi @sunnypatell! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@sunnypatell
Copy link
Author

sunnypatell commented Feb 18, 2026

appreciate the context @shelbyc, that's a useful framing. makes sense that the 3.1 HIGH to MEDIUM gap is acceptable here given how CVSS 4.0 rescopes DoS scoring. will keep that threshold in mind for future submissions.

@sunnypatell sunnypatell mentioned this pull request Feb 18, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sunnypatell @shelbyc