GraphQL Java is the CVE Numbering Authority (CNA) for GraphQL Java, Java DataLoader, GraphQL Java Extended Scalars, and GraphQL Java Extended Validation.
As stated in our Release Policy, we will backport critical bugfixes and security fixes for versions dating back 18 months. These fixes will be backported depending on severity and demand.
🚨 To report a vulnerability, DO NOT open a pull request or issue or GitHub discussion. DO NOT post publicly.
Instead, report the vulnerability privately via the Security tab on graphql-java GitHub repository. See instructions at https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability