DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23735: Singleton Roulette: Racing for Context in GraphQL Modules

#security #cve #cybersecurity

Singleton Roulette: Racing for Context in GraphQL Modules

Vulnerability ID: CVE-2026-23735
CVSS Score: 8.7
Published: 2026-01-16

A critical race condition in the popular graphql-modules library allows request contexts to cross-pollinate when using the @ExecutionContext decorator within Singleton-scoped services. This effectively allows User A to unintentionally inherit the session, authentication tokens, or data of User B if their requests are processed concurrently.

TL;DR

Using @ExecutionContext() inside a Singleton service in graphql-modules creates a shared mutable state. In a concurrent environment (like any real-world API), this leads to a classic race condition where parallel requests overwrite each other's context data. The result is severe identity confusion and data leakage. The fix involves upgrading to version 2.4.1 or 3.1.1, or avoiding context injection in singletons.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-362 (Race Condition)
  • CVSS v4.0: 8.7 (High)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None

Affected Systems

  • GraphQL Modules (npm package: graphql-modules)
  • graphql-modules: >= 2.2.1 < 2.4.1 (Fixed in: 2.4.1)
  • graphql-modules: >= 3.0.0 < 3.1.1 (Fixed in: 3.1.1)

Code Analysis

Commit: b476c22

Fix ExecutionContext race condition in Singletons

No diff available
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Official PoC demonstrating the race condition with async resolvers.

Mitigation Strategies

  • Upgrade graphql-modules to patched versions.
  • Refactor Singleton services to use Scope.Operation or Scope.Request.
  • Remove @ExecutionContext() usage in Singletons and pass context as method arguments.

Remediation Steps:

  1. Identify all services using @Injectable({ scope: Scope.Singleton }).
  2. Check if these services use the @ExecutionContext() decorator.
  3. Run npm install graphql-modules@latest or specifically target 2.4.1/3.1.1.
  4. Verify the fix by running the parallel request PoC.

References

Read the full report for CVE-2026-23735 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)