GHSA-g56x-7j6w-g8r8: Grackle has StackOverflowError in GraphQL query processing

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-50730

Grackle has StackOverflowError in GraphQL query processing

High severity GitHub Reviewed Published Dec 18, 2023 in typelevel/grackle • Updated Dec 18, 2023

Package

maven edu.gemini:gsp-graphql-core_2.13 (Maven)

Affected versions

<= 0.14.0

maven edu.gemini:gsp-graphql-core_3 (Maven)

maven edu.gemini:gsp-graphql-core_native0.4_2.13 (Maven)

maven edu.gemini:gsp-graphql-core_native0.4_3 (Maven)

maven edu.gemini:gsp-graphql-core_sjs1_2.13 (Maven)

maven edu.gemini:gsp-graphql-core_sjs1_3 (Maven)

maven org.typelevel:grackle-core_2.13 (Maven)

maven org.typelevel:grackle-core_3 (Maven)

maven org.typelevel:grackle-core_native0.4_2.13 (Maven)

maven org.typelevel:grackle-core_native0.4_3 (Maven)

maven org.typelevel:grackle-core_sjs1_2.13 (Maven)

maven org.typelevel:grackle-core_sjs1_3 (Maven)

Impact

Prior to this fix, the GraphQL query parsing was vulnerable to StackOverflowErrors. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability.

This potentially affects all applications using Grackle which have untrusted users.

Caution

No specific knowledge of an application’s GraphQL schema would be required to construct a pathological query.

Patches

The stack overflow issues have been resolved in the v0.18.0 release of Grackle.

Workarounds

Users could interpose a sanitizing layer in between untrusted input and Grackle query processing.

References

• GHSA-g56x-7j6w-g8r8
• typelevel/grackle@56e244b
• https://github.com/typelevel/grackle/releases/tag/v0.18.0

Published to the GitHub Advisory Database

Dec 18, 2023

Last updated

Dec 18, 2023