GraphQL Server Grackle Affected by Stack Overflow Vulnerability – Take Action Now

CVECVE-2023-50730
CVSScvssV3_1: 7.5
SourceCVE-2023-50730

Grackle, a popular GraphQL server written in Scala, was found to be vulnerable to stack overflow attacks from malicious GraphQL queries.

The GraphQL specification requires that fragments in a query cannot form cycles. However, earlier versions of Grackle did not check for this and would accept cyclic queries. Processing such queries could result in a stack overflow error crashing the server.

Additionally, Grackle’s query parsing library was not stack safe. Very deeply nested queries exploiting this could also cause stack overflows.

Stack overflows pose a denial of service risk, as they can crash servers. Malicious actors could potentially abuse this to take down Grackle based services.

All Grackle users with public facing GraphQL APIs are recommended to upgrade to the latest 0.18.0 version immediately. This fixes both stack overflow issues.

As an interim measure, applications can also filter queries before passing them to Grackle. This prevents malicious inputs from reaching the vulnerable components.

It is important GraphQL server operators stay up to date on library vulnerabilities. Take action now to protect your services from these stack overflow attacks on Grackle.

References