From 66ee45048fad3e7691953374bc482ab81728a33f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20Kj=C3=A4ll?= <alexander.kjall@gmail.com>
Date: Wed, 17 Dec 2025 17:24:53 +0100
Subject: [PATCH] async-graphql: add information from CVE-2024-47614

---
 crates/async-graphql/RUSTSEC-0000-0000.md | 25 +++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 crates/async-graphql/RUSTSEC-0000-0000.md

diff --git a/crates/async-graphql/RUSTSEC-0000-0000.md b/crates/async-graphql/RUSTSEC-0000-0000.md
new file mode 100644
index 000000000..788dccc91
--- /dev/null
+++ b/crates/async-graphql/RUSTSEC-0000-0000.md
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "async-graphql"
+date = "2024-10-03"
+url = "https://github.com/async-graphql/async-graphql/security/advisories/GHSA-5gc2-7c65-8fq8"
+references = ["https://github.com/async-graphql/async-graphql/commit/7f1791488463d4e9c5adcd543962173e2f6cbd34"]
+
+# See https://docs.rs/rustsec/latest/rustsec/advisory/enum.Category.html
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+aliases = ["CVE-2024-47614","GHSA-5gc2-7c65-8fq8"]
+
+[versions]
+patched = [">= 7.0.10"]
+```
+
+# Directive Overload
+
+async-graphql before 7.0.10 does not limit the number
+of directives for a field. This can lead to Service Disruption,
+Resource Exhaustion, and User Experience Degradation.
+
+Use SchemaBuilder.limit_directives to limit the maximum number
+of directives for a single field.