GHSA-mh3m-8c74-74xh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mh3m-8c74-74xh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-mh3m-8c74-74xh/GHSA-mh3m-8c74-74xh.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-mh3m-8c74-74xh
- Aliases
- Related
- Published
- 2022-01-27T15:28:06Z
- Modified
- 2023-11-01T04:57:42.353596Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Denial of Service in graphql-go
- Details
-
Impact
This is a DoS vulnerability that is possible due to a bug in the library that would allow an attacker with specifically designed queries to cause stack overflow panics. Any user with access to the GraphQL handler can send these queries and cause stack overflows. This in turn could potentially compromise the ability of the server to serve data to its users. To make things worse the only mitigation in affected versions creates opportunities for other attacks. This issue is only available if you are using
graphql.MaxDepthoption in your schema (which is highly recommended in most cases).Patches
The issue has been patched in version
v1.3.0. We have been trying to maintain backwards compatibility and avoid breaking changes so upgrading should not be problematic.Workarounds
The best workaround is to patch to a version greater than or equal to
v1.3.0. Otherwise, the only workaround in versions prior tov1.3.0is to disable thegraphql.MaxDepthoption from your schema. Unfortunately, this could potentially create opportunities for other attacks.References
There are no references or links. This issue was reported privately and was fixed before creating this Security Advisory.
For more information
If you have any questions or comments feel free to reach out to @pavelnikolov or @tony on the Gopher Slack.
- Database specific
{ "nvd_published_at": "2022-01-21T23:15:00Z", "github_reviewed_at": "2022-01-24T22:42:15Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-400" ] }- References
-
- https://github.com/graph-gophers/graphql-go/security/advisories/GHSA-mh3m-8c74-74xh
- https://nvd.nist.gov/vuln/detail/CVE-2022-21708
- https://github.com/graph-gophers/graphql-go/commit/eae31ca73eb3473c544710955d1dbebc22605bfe
- https://github.com/graph-gophers/graphql-go
- https://pkg.go.dev/vuln/GO-2022-0300
Affected packages
Go / github.com/graph-gophers/graphql-go
Package
- Name
- github.com/graph-gophers/graphql-go
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/graph-gophers/graphql-go