Headline
GHSA-g56x-7j6w-g8r8: Grackle has StackOverflowError in GraphQL query processing
Impact
Prior to this fix, the GraphQL query parsing was vulnerable to StackOverflowError
s. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability.
This potentially affects all applications using Grackle which have untrusted users.
[!CAUTION]
No specific knowledge of an application’s GraphQL schema would be required to construct a pathological query.
Patches
The stack overflow issues have been resolved in the v0.18.0 release of Grackle.
Workarounds
Users could interpose a sanitizing layer in between untrusted input and Grackle query processing.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-50730
Grackle has StackOverflowError in GraphQL query processing
High severity GitHub Reviewed Published Dec 18, 2023 in typelevel/grackle • Updated Dec 18, 2023
Package
maven edu.gemini:gsp-graphql-core_2.13 (Maven)
Affected versions
<= 0.14.0
maven edu.gemini:gsp-graphql-core_3 (Maven)
maven edu.gemini:gsp-graphql-core_native0.4_2.13 (Maven)
maven edu.gemini:gsp-graphql-core_native0.4_3 (Maven)
maven edu.gemini:gsp-graphql-core_sjs1_2.13 (Maven)
maven edu.gemini:gsp-graphql-core_sjs1_3 (Maven)
maven org.typelevel:grackle-core_2.13 (Maven)
maven org.typelevel:grackle-core_3 (Maven)
maven org.typelevel:grackle-core_native0.4_2.13 (Maven)
maven org.typelevel:grackle-core_native0.4_3 (Maven)
maven org.typelevel:grackle-core_sjs1_2.13 (Maven)
maven org.typelevel:grackle-core_sjs1_3 (Maven)
Impact
Prior to this fix, the GraphQL query parsing was vulnerable to StackOverflowErrors. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability.
This potentially affects all applications using Grackle which have untrusted users.
Caution
No specific knowledge of an application’s GraphQL schema would be required to construct a pathological query.
Patches
The stack overflow issues have been resolved in the v0.18.0 release of Grackle.
Workarounds
Users could interpose a sanitizing layer in between untrusted input and Grackle query processing.
References
- GHSA-g56x-7j6w-g8r8
- typelevel/grackle@56e244b
- https://github.com/typelevel/grackle/releases/tag/v0.18.0
Published to the GitHub Advisory Database
Dec 18, 2023
Last updated
Dec 18, 2023