CVE-2023-26144
Denial of Service vulnerability in graphql (npm)
What is CVE-2023-26144 About?
GraphQL versions 16.3.0 through 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks when parsing large queries within the OverlappingFieldsCanBeMergedRule.ts. This allows an attacker to degrade system performance, with moderate ease of exploitation through large, crafted queries.
Affected Software
Technical Details
The Denial of Service vulnerability affects graphql versions where the OverlappingFieldsCanBeMergedRule.ts file has insufficient checks. When processing GraphQL queries, particularly large and complex ones, this rule is responsible for ensuring that overlapping fields can be merged correctly. However, a malicious attacker can craft a query with a structure that, when processed by this rule, consumes excessive computational resources. This resource exhaustion is not due to an infinite loop, but rather a disproportionate amount of processing required for specific query patterns (e.g., highly nested or complex overlapping fields), leading to degraded system performance and potentially a denial of service.
What is the Impact of CVE-2023-26144?
Successful exploitation may allow attackers to degrade system performance significantly, potentially leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2023-26144?
Exploitation involves sending large and complex GraphQL queries designed to stress the OverlappingFieldsCanBeMergedRule processing. The complexity is moderate, requiring an understanding of GraphQL query structures that trigger high computational cost. Authentication requirements vary based on the GraphQL endpoint's configuration; if it's publicly accessible, no authentication is needed. This is typically a remote attack. There are no specific privilege requirements beyond the ability to submit GraphQL queries. The main constraint is crafting a query that is sufficiently large and complex to cause performance degradation without necessarily crashing the service. Risk factors include publicly exposed GraphQL APIs that do not implement query depth limits, complexity analysis, or rate limiting.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| tadhglewis | Link | GraphQL vulnerability disclosure: CVE-2023-26144 |
What are the Available Fixes for CVE-2023-26144?
Available Upgrade Options
- graphql
- >16.3.0, <16.8.1 → Upgrade to 16.8.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/graphql/graphql-js/issues/3955
- https://github.com/graphql/graphql-js/releases/tag/v16.8.1
- https://security.snyk.io/vuln/SNYK-JS-GRAPHQL-5905181
- https://github.com/graphql/graphql-js/pull/3972
- https://osv.dev/vulnerability/GHSA-9pv7-vfvm-6vr7
- https://github.com/graphql/graphql-js/pull/3972
- https://github.com/graphql/graphql-js/releases/tag/v16.8.1
- https://security.snyk.io/vuln/SNYK-JS-GRAPHQL-5905181
- https://github.com/graphql/graphql-js
- https://github.com/graphql/graphql-js/issues/3955
What are Similar Vulnerabilities to CVE-2023-26144?
Similar Vulnerabilities: CVE-2020-7798 , CVE-2023-1370 , CVE-2022-42004 , CVE-2022-36944 , CVE-2023-25153
