## Netflix DGS GraphQL Framework Exposes Critical 9.8 CVSS Vulnerabilities in Spring WebMVC
A critical security exposure has been identified within the dependency chain of Netflix's widely-used GraphQL framework, DGS (Domain Graph Service). The `graphql-dgs-platform-dependencies:7.3.6` package, a core dependency for building GraphQL services, contains 64 vulnerabilities, with the highest severity rated a maximum 9.8 on the CVSS scale. This flaw is not abstract; it is directly traced to a vulnerable version of `spring-webmvc-6.0.11.jar` embedded within the DGS platform dependencies, exposing any service built on this framework to potential remote code execution and other severe attacks.

The vulnerability was discovered in a specific commit (`95324844e8221abe0463568f59eb12746be5550d`) of a `gradle-multi-project` repository, pinpointing the exact path to the compromised library. The issue stems from the Spring Web MVC component, a foundational part of the Java ecosystem used for building web applications. The presence of a 9.8 CVSS vulnerability—indicating critical severity with low attack complexity—signals an immediate and severe risk for development teams relying on this specific DGS platform dependency version for production systems.

This discovery places significant pressure on organizations using Netflix DGS, particularly those in microservices and API-driven architectures. Teams must urgently audit their `build.gradle.kts` or similar dependency files to check for the affected `graphql-dgs-platform-dependencies:7.3.6` artifact. The remediation path involves upgrading to a patched version of the DGS platform dependencies, but the widespread use of this framework means the exposure surface is substantial. This incident underscores the persistent supply chain risks in modern software development, where a single vulnerable transitive dependency in a popular platform can compromise the security posture of countless downstream applications.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, supply-chain, graphql, java, spring-framework
- **Credibility**: unverified
- **Published**: 2026-04-11 12:22:33
- **ID**: 60015
- **URL**: https://whisperx.ai/en/intel/60015