CVE-2023-28867
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-28867
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28867.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-28867
- Aliases
- Published
- 2023-03-27T01:15:07.413Z
- Modified
- 2025-11-20T12:18:29.169374Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135.
- References
-
- https://github.com/graphql-java/graphql-java/releases/tag/v17.5
- https://github.com/graphql-java/graphql-java/releases/tag/v18.4
- https://github.com/graphql-java/graphql-java/releases/tag/v19.4
- https://github.com/graphql-java/graphql-java/releases/tag/v20.1
- https://github.com/graphql-java/graphql-java/pull/3112
Affected packages
Git / github.com/graphql-java/graphql-java
Affected ranges
- Type
- GIT
- Repo
- https://github.com/graphql-java/graphql-java
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixedFixed
Affected versions
12.*
12.0
v1.*
v1.0
v1.2
v1.3
v10.*
v10.0
v11.*
v11.0
v12.*
v12.0
v13.*
v13.0
v14.*
v14.0
v15.*
v15.0
v16.*
v16.0
v16.1
v16.2
v17.*
v17.0
v17.0-beta1
v17.0.0-beta1
v17.1
v17.2
v17.3
v17.4
v18.*
v18.0
v18.1
v18.2
v18.3
v19.*
v19.0
v19.1
v19.2
v19.3
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v20.*
v20.0
v3.*
v3.0.0
v4.*
v4.0
v5.*
v5.0
v6.*
v6.0
v7.*
v7.0
v8.*
v8.0
v9.*
v9.0
v9.1
v9.7
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28867.json"
vanir_signatures
[
{
"target": {
"function": "ParserOptions",
"file": "src/main/java/graphql/parser/ParserOptions.java"
},
"id": "CVE-2023-28867-1736e906",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c",
"signature_version": "v1",
"digest": {
"function_hash": "107096461883321427489822662467714116337",
"length": 307.0
}
},
{
"target": {
"function": "ParserOptions",
"file": "src/main/java/graphql/parser/ParserOptions.java"
},
"id": "CVE-2023-28867-19cdfb73",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e",
"signature_version": "v1",
"digest": {
"function_hash": "100845729788637426848026172177383082905",
"length": 358.0
}
},
{
"target": {
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-25be4ec1",
"deprecated": false,
"signature_type": "Line",
"source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e",
"signature_version": "v1",
"digest": {
"line_hashes": [
"39810464262704892563754871815532813521",
"165316501559607190669458288237610334983",
"35627563051055791000991564642591742903",
"85864436817746415041247927113798442401",
"195441864188803098178798547537929523495",
"314200291007238960926406327039413550096",
"2127094700740136968549541663906775223",
"28942720981026645879105330121937594024",
"272522729430044705388557687013535291055",
"172789081020780669056385575504369089135",
"161592308228573192425130653597497272963",
"257847696003878904167856234595939976703",
"141910194616282832636274588007449179038",
"162422351709377277282648183380178364570",
"21155586188270923203314999408382070740",
"309845019958237845687328390800258670777",
"246411222746214166054943456370084211513",
"139401985562583892647158600779005865766",
"98613602508669690155841914830461295674",
"173929424783329993414352835442163758801",
"116288404727165704069435834778300964690",
"181592668769941648756421579526410470597",
"129219553652390940259631823603094050067",
"17134766956120441703558036634847004569",
"39180133892455427899885815116562769428",
"175491334008586020041722886027116860139",
"178141823269753667453735617479298620831"
],
"threshold": 0.9
}
},
{
"target": {
"function": "parseImpl",
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-2d314090",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e",
"signature_version": "v1",
"digest": {
"function_hash": "131367469637499662514152788039785718873",
"length": 2029.0
}
},
{
"target": {
"file": "src/main/java/graphql/parser/ParserOptions.java"
},
"id": "CVE-2023-28867-2e215ef5",
"deprecated": false,
"signature_type": "Line",
"source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3",
"signature_version": "v1",
"digest": {
"line_hashes": [
"167592099264655646664183634937652707679",
"48061118344386761209421655410361794672",
"136340033395875762338924714647055543928",
"98729389709859335548875557707103429431",
"91416326370818657533111573209263230953",
"297478578909588886534657724535513718703",
"13089976929769259490571353488007124246",
"338427654662022341104417488557457876229",
"269829574569171290615725279612755665848",
"4056684683601998069062623756632051213",
"314612923591991339758976833729365219498",
"46960125349505788978839297817688662899",
"72040259244625831823294009055510317505",
"53862352362822073719081494250115834685",
"106910668067388805476875303440157788070",
"276306368489874932668423924759007009769",
"240520834190533780302424932515378087815",
"245441175229153445975501379054587156805",
"54803363921063138440234615057181676309",
"52354395305982144028806432924491865959",
"200789073349343591308856415434153339540",
"4398447980494056475909569226891135570",
"217492365856953206148280999617600107806",
"295413907910637757244026578302808421445",
"99347107812727345644276340698356893253",
"243639786114660059227904537263337804371",
"184082509827344320816882284096978071451",
"301145714464474871332206555035731958165",
"8097071380394560178713026838585149735",
"132747338018992063484214645278964739591",
"111389838724433899831384020036264643244",
"61616143660020220903382064222456939397",
"251416392363188586572221146763484883503",
"68216252802730252774750438877243389761",
"37953200468002735639786874651527888578",
"48641215820760846429003416729981659780",
"209729894160092830063855389200447221609",
"60267308480124250787641142868099678146",
"207467004336133005305202410574630972797",
"194478939411198217990743902055704865779",
"91331019333138453130832968113321001402",
"152017923807475988241759782297419553919",
"335670201368948803720098520808311088959"
],
"threshold": 0.9
}
},
{
"target": {
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-636d5477",
"deprecated": false,
"signature_type": "Line",
"source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3",
"signature_version": "v1",
"digest": {
"line_hashes": [
"39810464262704892563754871815532813521",
"165316501559607190669458288237610334983",
"35627563051055791000991564642591742903",
"85864436817746415041247927113798442401",
"195441864188803098178798547537929523495",
"314200291007238960926406327039413550096",
"2127094700740136968549541663906775223",
"28942720981026645879105330121937594024",
"272522729430044705388557687013535291055",
"172789081020780669056385575504369089135",
"161592308228573192425130653597497272963",
"257847696003878904167856234595939976703",
"141910194616282832636274588007449179038",
"162422351709377277282648183380178364570",
"21155586188270923203314999408382070740",
"309845019958237845687328390800258670777",
"246411222746214166054943456370084211513",
"139401985562583892647158600779005865766",
"98613602508669690155841914830461295674",
"173929424783329993414352835442163758801",
"116288404727165704069435834778300964690",
"181592668769941648756421579526410470597",
"129219553652390940259631823603094050067",
"17134766956120441703558036634847004569",
"39180133892455427899885815116562769428",
"175491334008586020041722886027116860139",
"178141823269753667453735617479298620831"
],
"threshold": 0.9
}
},
{
"target": {
"function": "parseImpl",
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-6751c519",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3",
"signature_version": "v1",
"digest": {
"function_hash": "131367469637499662514152788039785718873",
"length": 2029.0
}
},
{
"target": {
"function": "parseImpl",
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-7a240710",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c",
"signature_version": "v1",
"digest": {
"function_hash": "131367469637499662514152788039785718873",
"length": 2029.0
}
},
{
"target": {
"function": "Builder",
"file": "src/main/java/graphql/parser/ParserOptions.java"
},
"id": "CVE-2023-28867-84706de9",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c",
"signature_version": "v1",
"digest": {
"function_hash": "107096461883321427489822662467714116337",
"length": 307.0
}
},
{
"target": {
"function": "throwCancelParseIfTooManyTokens",
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-931b3bbd",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3",
"signature_version": "v1",
"digest": {
"function_hash": "261722846679163255346022045269518140061",
"length": 622.0
}
},
{
"target": {
"function": "throwCancelParseIfTooManyTokens",
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-99162a76",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e",
"signature_version": "v1",
"digest": {
"function_hash": "261722846679163255346022045269518140061",
"length": 622.0
}
},
{
"target": {
"function": "visitTerminal",
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-9f342fad",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c",
"signature_version": "v1",
"digest": {
"function_hash": "98977058209400896274451248014768637340",
"length": 160.0
}
},
{
"target": {
"file": "src/main/java/graphql/parser/ParserOptions.java"
},
"id": "CVE-2023-28867-a82fa07d",
"deprecated": false,
"signature_type": "Line",
"source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c",
"signature_version": "v1",
"digest": {
"line_hashes": [
"167592099264655646664183634937652707679",
"48061118344386761209421655410361794672",
"136340033395875762338924714647055543928",
"98729389709859335548875557707103429431",
"91416326370818657533111573209263230953",
"297478578909588886534657724535513718703",
"13089976929769259490571353488007124246",
"338427654662022341104417488557457876229",
"269829574569171290615725279612755665848",
"4056684683601998069062623756632051213",
"314612923591991339758976833729365219498",
"46960125349505788978839297817688662899",
"72040259244625831823294009055510317505",
"53862352362822073719081494250115834685",
"106910668067388805476875303440157788070",
"276306368489874932668423924759007009769",
"240520834190533780302424932515378087815",
"245441175229153445975501379054587156805",
"54803363921063138440234615057181676309",
"52354395305982144028806432924491865959",
"102946193542560119040145842864590979970",
"81585618443658454952416335334008094176",
"220566234918611789025807121263669223294",
"295413907910637757244026578302808421445",
"190457606341830965153789775001315195676",
"228605203546321115621511159325076890431",
"159542464739293998820090389534722265909",
"139773028368889587784590594558186088375",
"59075709276663536790541152776342721535",
"70151371328435594289928652107717301375",
"56761871629815201096650662931670150612",
"75681159018350375153611959441500337195",
"235641403697900720502578085434185703743",
"48641215820760846429003416729981659780",
"209729894160092830063855389200447221609",
"311015808044674598272751413641469290572",
"9031673614721156524331266755228237343",
"159770413061440102796656992905069860065",
"23686616431714611868553961585639452181",
"19360163883863100654519157062032647181",
"276726009393873248976542950838164435372"
],
"threshold": 0.9
}
},
{
"target": {
"function": "throwCancelParseIfTooManyTokens",
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-a9e6c66d",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c",
"signature_version": "v1",
"digest": {
"function_hash": "261722846679163255346022045269518140061",
"length": 622.0
}
},
{
"target": {
"function": "Builder",
"file": "src/main/java/graphql/parser/ParserOptions.java"
},
"id": "CVE-2023-28867-ad70dde2",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3",
"signature_version": "v1",
"digest": {
"function_hash": "100845729788637426848026172177383082905",
"length": 358.0
}
},
{
"target": {
"function": "Builder",
"file": "src/main/java/graphql/parser/ParserOptions.java"
},
"id": "CVE-2023-28867-aecd18e6",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e",
"signature_version": "v1",
"digest": {
"function_hash": "100845729788637426848026172177383082905",
"length": 358.0
}
},
{
"target": {
"function": "setupParserListener",
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-afbc220a",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e",
"signature_version": "v1",
"digest": {
"function_hash": "283419530021468244310602323395699962217",
"length": 791.0
}
},
{
"target": {
"function": "visitTerminal",
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-bc4f4135",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e",
"signature_version": "v1",
"digest": {
"function_hash": "192187236361422592697581414175043895792",
"length": 522.0
}
},
{
"target": {
"function": "ParserOptions",
"file": "src/main/java/graphql/parser/ParserOptions.java"
},
"id": "CVE-2023-28867-bf473cba",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3",
"signature_version": "v1",
"digest": {
"function_hash": "100845729788637426848026172177383082905",
"length": 358.0
}
},
{
"target": {
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-c1c02d99",
"deprecated": false,
"signature_type": "Line",
"source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c",
"signature_version": "v1",
"digest": {
"line_hashes": [
"39810464262704892563754871815532813521",
"165316501559607190669458288237610334983",
"35627563051055791000991564642591742903",
"85864436817746415041247927113798442401",
"322491364238379011668677832620288792409",
"286606710324992052697418163595418380338",
"234363346061103890360923069537510902923",
"149538038130569568411482220888772796758",
"272522729430044705388557687013535291055",
"183334901620001236037653991993493545455",
"211380834177819331184568884267377441686",
"223876146626007495419016266676682051009",
"63408308177239304964395097383326721615",
"257847696003878904167856234595939976703",
"141910194616282832636274588007449179038",
"162422351709377277282648183380178364570",
"21155586188270923203314999408382070740",
"309845019958237845687328390800258670777",
"246411222746214166054943456370084211513",
"139401985562583892647158600779005865766",
"98613602508669690155841914830461295674",
"173929424783329993414352835442163758801",
"116288404727165704069435834778300964690",
"181592668769941648756421579526410470597",
"129219553652390940259631823603094050067",
"17134766956120441703558036634847004569",
"39180133892455427899885815116562769428",
"175491334008586020041722886027116860139",
"178141823269753667453735617479298620831"
],
"threshold": 0.9
}
},
{
"target": {
"function": "setupParserListener",
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-e442f89c",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3",
"signature_version": "v1",
"digest": {
"function_hash": "283419530021468244310602323395699962217",
"length": 791.0
}
},
{
"target": {
"file": "src/main/java/graphql/parser/ParserOptions.java"
},
"id": "CVE-2023-28867-f088709c",
"deprecated": false,
"signature_type": "Line",
"source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e",
"signature_version": "v1",
"digest": {
"line_hashes": [
"167592099264655646664183634937652707679",
"48061118344386761209421655410361794672",
"136340033395875762338924714647055543928",
"98729389709859335548875557707103429431",
"91416326370818657533111573209263230953",
"297478578909588886534657724535513718703",
"13089976929769259490571353488007124246",
"338427654662022341104417488557457876229",
"269829574569171290615725279612755665848",
"4056684683601998069062623756632051213",
"314612923591991339758976833729365219498",
"46960125349505788978839297817688662899",
"72040259244625831823294009055510317505",
"53862352362822073719081494250115834685",
"106910668067388805476875303440157788070",
"276306368489874932668423924759007009769",
"240520834190533780302424932515378087815",
"245441175229153445975501379054587156805",
"54803363921063138440234615057181676309",
"52354395305982144028806432924491865959",
"200789073349343591308856415434153339540",
"4398447980494056475909569226891135570",
"217492365856953206148280999617600107806",
"295413907910637757244026578302808421445",
"99347107812727345644276340698356893253",
"243639786114660059227904537263337804371",
"184082509827344320816882284096978071451",
"301145714464474871332206555035731958165",
"8097071380394560178713026838585149735",
"132747338018992063484214645278964739591",
"111389838724433899831384020036264643244",
"61616143660020220903382064222456939397",
"251416392363188586572221146763484883503",
"68216252802730252774750438877243389761",
"37953200468002735639786874651527888578",
"48641215820760846429003416729981659780",
"209729894160092830063855389200447221609",
"60267308480124250787641142868099678146",
"207467004336133005305202410574630972797",
"194478939411198217990743902055704865779",
"91331019333138453130832968113321001402",
"152017923807475988241759782297419553919",
"335670201368948803720098520808311088959"
],
"threshold": 0.9
}
},
{
"target": {
"function": "visitTerminal",
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-f3169add",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3",
"signature_version": "v1",
"digest": {
"function_hash": "192187236361422592697581414175043895792",
"length": 522.0
}
},
{
"target": {
"function": "setupParserListener",
"file": "src/main/java/graphql/parser/Parser.java"
},
"id": "CVE-2023-28867-f779ed6b",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c",
"signature_version": "v1",
"digest": {
"function_hash": "58632047594417232813919698799212504335",
"length": 385.0
}
}
]