Skip to main content

Security

Supported versions

If a security issue occurs, we will patch the latest version and backport the security patch for versions released in the past 18 months, as stated in our release policy.

These fixes will be backported depending on severity and demand. As security fixes are time sensitive, we will release them on demand instead of waiting for the next scheduled release date.

The maintainers reserve the right to make a pragmatic decision to make adjustments to the security policy.

Reporting a vulnerability

caution

🚨 To report a vulnerability, DO NOT open a pull request or issue or GitHub discussion. DO NOT post publicly.

Instead, report the vulnerability privately via the Security tab on the graphql-java GitHub repository. See instructions at https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability.

Disclosure policy

The GraphQL Java maintainers will collaborate with those who report vulnerabilities privately via the GitHub vulnerability reporting form. We will acknowledge and review vulnerability reports as soon as we can. To protect the community, please do not publicly disclose the vulnerability. The maintainers will make a public announcement after the vulnerability is fixed.

Please allow time for the maintainers to review vulnerability reports, please note we are an open source project run by volunteers.

Common Vulnerabilities and Exposures (CVEs)

CVE-2024-40094

Patched by versions 21.5, 20.9, 19.11, build version 0.0.0-2024-03-22T04-18-12-97743bc, or later

CVE-2023-29470

Patched by versions 20.2, 19.5, 18.5, 17.6, build version 0.0.0-2023-03-29T23-54-31-fabc3e0, or later

CVE-2023-28867

Patched by versions 20.1, 19.4, 18.4, 17.5, build version 0.0.0-2023-03-20T01-49-44-80e3135, or later

CVE-2022-37734

Patched by versions 19.0, 18.3, 17.4, build version 0.0.0-2022-07-26T05-45-04-226aabd9, or later