CVE-2023-50730

HIGH EPSS 52.9%
Published Dec 22, 20232y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Dec 22, 2023 2y ago
Last Modified Jun 17, 2026 2w ago

Description

Grackle is a GraphQL server written in functional Scala, built on the Typelevel stack. The GraphQL specification requires that GraphQL fragments must not form cycles, either directly or indirectly. Prior to Grackle version 0.18.0, that requirement wasn't checked, and queries with cyclic fragments would have been accepted for type checking and compilation. The attempted compilation of such fragments would result in a JVM `StackOverflowError` being thrown. Some knowledge of an applications GraphQL schema would be required to construct such a query, however no knowledge of any application-specific performance or other behavioural characteristics would be needed. Grackle uses the cats-parse library for parsing GraphQL queries. Prior to version 0.18.0, Grackle made use of the cats-parse `recursive` operator. However, `recursive` is not currently stack safe. `recursive` was used in three places in the parser: nested selection sets, nested input values (lists and objects), and nested list type declarations. Consequently, queries with deeply nested selection sets, input values or list types could be constructed which exploited this, causing a JVM `StackOverflowException` to be thrown during parsing. Because this happens very early in query processing, no specific knowledge of an applications GraphQL schema would be required to construct such a query. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability. This potentially affects all applications using Grackle which have untrusted users. Both stack overflow issues have been resolved in the v0.18.0 release of Grackle. As a workaround, users could interpose a sanitizing layer in between untrusted input and Grackle query processing.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
52.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-400 Uncontrolled Resource Consumption Resource Mgmt
CWE-770

Affected Products 1

VendorProductVersionRange
typelevelgrackle* <0.18.0

References 3

  • github.com https://github.com/typelevel/grackle/commit/56e244b91659cf385df590fc6c46695b6f36cbfd
    Patch
  • github.com https://github.com/typelevel/grackle/releases/tag/v0.18.0
    Release Notes
  • github.com https://github.com/typelevel/grackle/security/advisories/GHSA-g56x-7j6w-g8r8
    Vendor Advisory

Remediation

  • github.com https://github.com/typelevel/grackle/commit/56e244b91659cf385df590fc6c46695b6f36cbfd
    Patch