CVE-2022-37734
Denial of Service vulnerability in graphql-java (Maven)
What is CVE-2022-37734 About?
This is a Denial of Service vulnerability in graphql-java versions prior to 19.0, 18.3, and 17.4, which can be triggered by a malicious GraphQL query. An attacker can send a crafted query that consumes excessive CPU resources, making the application unresponsive. Exploitation is relatively easy once the vulnerability is understood, as it involves sending a specific type of query.
Affected Software
- com.graphql-java:graphql-java
- >18.0, <18.3
- <17.4
Technical Details
The vulnerability in graphql-java (before versions 19.0, 18.3, and 17.4) is a Denial of Service caused by excessive CPU resource consumption during GraphQL query processing. An attacker can craft a complex or recursive GraphQL query that, when executed by the server, forces the GraphQL engine to perform a disproportionately large amount of computation relative to the query's size. This could involve deeply nested queries, extensive use of aliases, or requesting highly correlated data fields that lead to exponential complexity. The parsing and execution of such a query consume significant CPU cycles, preventing the server from processing legitimate requests and ultimately leading to a denial of service for other users.
What is the Impact of CVE-2022-37734?
Successful exploitation may allow attackers to consume excessive server CPU resources, leading to a denial of service and making the application unresponsive to legitimate users.
What is the Exploitability of CVE-2022-37734?
Exploiting this vulnerability is of low to moderate complexity, as it primarily involves crafting and sending a malicious GraphQL query. Authentication requirements depend on whether the GraphQL endpoint is publicly accessible or requires prior authentication. If the endpoint is public, no authentication is needed. Privilege requirements are typically none for triggering the CPU-intensive query. This is a remote attack. Special conditions might include the need to identify complex or recursive relationships within the GraphQL schema. The risk factors that increase exploitation likelihood include a publicly exposed GraphQL endpoint and lack of proper query complexity analysis or throttling mechanisms.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-37734?
About the Fix from Resolved Security
Available Upgrade Options
- com.graphql-java:graphql-java
- <17.4 → Upgrade to 17.4
- com.graphql-java:graphql-java
- >18.0, <18.3 → Upgrade to 18.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/graphql-java/graphql-java/releases
- https://github.com/graphql-java/graphql-java/discussions/2958
- https://github.com/graphql-java/graphql-java/issues/2888
- https://github.com/graphql-java/graphql-java/pull/2892
- https://github.com/graphql-java/graphql-java
- https://security.snyk.io/vuln/SNYK-JAVA-COMGRAPHQLJAVA-3021519
- https://github.com/graphql-java/graphql-java/discussions/2958
- https://github.com/graphql-java/graphql-java/issues/2888
- https://osv.dev/vulnerability/GHSA-v62j-cxhh-fq22
- https://github.com/graphql-java/graphql-java/pull/2892
What are Similar Vulnerabilities to CVE-2022-37734?
Similar Vulnerabilities: CVE-2015-3217 , CVE-2019-15822 , CVE-2020-11024 , CVE-2020-7663 , CVE-2021-43818
