CVE-2023-28867
Denial of Service vulnerability in graphql-java (Maven)
What is CVE-2023-28867 About?
GraphQL Java (versions before 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135) is vulnerable to a Denial of Service attack via stack consumption. An attacker can craft a malicious GraphQL query that causes the server's call stack to overflow. This vulnerability allows an unauthenticated attacker to crash the GraphQL server, leading to service disruption.
Affected Software
- com.graphql-java:graphql-java
- >18.0, <18.4
- <0.0.0-2023-03-20T01-49-44-80e3135
- >19.0, <19.4
- >20.0, <20.1
- >1.2, <17.5
Technical Details
The vulnerability in GraphQL Java arises from its recursive processing of GraphQL queries, leading to a stack consumption issue. An attacker can formulate a GraphQL query with deeply nested structures, complex aliases, or recursive fragment definitions that, when parsed and executed by the GraphQL Java engine, cause an excessive number of function calls on the server's call stack. Because of the recursive nature of query processing and the fixed size of the call stack, an overly complex or deeply nested query can trigger a stack overflow error. This uncaught error leads to the immediate termination of the server process, effectively causing a Denial of Service.
What is the Impact of CVE-2023-28867?
Successful exploitation may allow attackers to cause a denial of service, making the GraphQL server and any dependent services unavailable to legitimate users.
What is the Exploitability of CVE-2023-28867?
Exploitation of this vulnerability is of low complexity. An attacker only needs remote access to the GraphQL endpoint to send a crafted query. No authentication is explicitly required, meaning any unauthenticated client capable of sending GraphQL queries could exploit this. The query effectively acts as the payload, triggering the stack consumption. No specific privileges are needed on the server side. The primary special condition is the presence of the vulnerable GraphQL Java version. The likelihood of exploitation is high given the ease with which a malicious query can be constructed and sent, leading directly to a server crash.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-28867?
About the Fix from Resolved Security
Available Upgrade Options
- com.graphql-java:graphql-java
- <0.0.0-2023-03-20T01-49-44-80e3135 → Upgrade to 0.0.0-2023-03-20T01-49-44-80e3135
- com.graphql-java:graphql-java
- >1.2, <17.5 → Upgrade to 17.5
- com.graphql-java:graphql-java
- >18.0, <18.4 → Upgrade to 18.4
- com.graphql-java:graphql-java
- >19.0, <19.4 → Upgrade to 19.4
- com.graphql-java:graphql-java
- >20.0, <20.1 → Upgrade to 20.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/graphql-java/graphql-java/releases/tag/v18.4
- https://github.com/graphql-java/graphql-java/releases/tag/v20.1
- https://github.com/graphql-java/graphql-java/releases/tag/v18.4
- https://nvd.nist.gov/vuln/detail/CVE-2023-28867
- https://github.com/graphql-java/graphql-java/pull/3112
- https://osv.dev/vulnerability/GHSA-p4qx-6w5p-4rj2
- https://github.com/graphql-java/graphql-java/pull/3112
- https://github.com/graphql-java/graphql-java/releases/tag/v19.4
- https://github.com/graphql-java/graphql-java/releases/tag/v17.5
- https://github.com/graphql-java/graphql-java
What are Similar Vulnerabilities to CVE-2023-28867?
Similar Vulnerabilities: CVE-2023-32695 , CVE-2023-34104 , CVE-2023-44271 , CVE-2021-41133 , CVE-2020-15160
