GoogleOSV:GHSA-G56X-7J6W-G8R8Grackle has StackOverflowError in GraphQL query processing
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
20.4%
Impact
Prior to this fix, the GraphQL query parsing was vulnerable to StackOverflowErrors. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability.
This potentially affects all applications using Grackle which have untrusted users.
> [!CAUTION]
> No specific knowledge of an application’s GraphQL schema would be required to construct a pathological query.
Patches
The stack overflow issues have been resolved in the v0.18.0 release of Grackle.
Workarounds
Users could interpose a sanitizing layer in between untrusted input and Grackle query processing.
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
20.4%