PT-2022-15055 · Unknown+1 · Graphql-Go+1
Jupenur
·
Published
2022-01-21
·
Updated
2023-07-24
·
CVE-2022-21708
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
graphql-go versions prior to 1.3.0
Description
The issue is a DoS vulnerability due to a bug in the library that allows an attacker with specifically designed queries to cause stack overflow panics. Any user with access to the GraphQL handler can send these queries and cause stack overflows, potentially compromising the server's ability to serve data. This issue only occurs when using the
graphql.MaxDepth option in the schema.Recommendations
For versions prior to 1.3.0, the best workaround is to patch to a version greater than or equal to
v1.3.0.
Otherwise, the only workaround in versions prior to v1.3.0 is to disable the graphql.MaxDepth option from your schema, although this could potentially create opportunities for other attacks.Exploit
Fix
DoS
Uncontrolled Recursion
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Debian
Graphql-Go