CVE-2023-50730

Name of the Vulnerable Software and Affected Versions Grackle versions prior to 0.18.0

Description The issue arises from two stack overflow vulnerabilities in Grackle, a GraphQL server written in functional Scala. The first vulnerability occurs because Grackle did not check for cyclic fragments in GraphQL queries prior to version 0.18.0, which could lead to a JVM StackOverflowError during type checking and compilation. The second vulnerability is due to the use of the recursive operator from the cats-parse library, which is not stack safe. This operator was used in three places in the parser, allowing queries with deeply nested selection sets, input values, or list types to cause a JVM StackOverflowException during parsing. Both issues can be exploited to cause a denial of service, potentially affecting all applications using Grackle with untrusted users.

Recommendations For Grackle versions prior to 0.18.0, update to version 0.18.0 to resolve the stack overflow issues. As a temporary workaround, consider interposing a sanitizing layer between untrusted input and Grackle query processing to minimize the risk of exploitation.