A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader functions through DefaultBatchLoaderRegistry.
{ "nvd_published_at": "2023-09-20T10:15:14Z", "cwe_ids": [], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-09-21T16:59:16Z" }