Unrated severityOSV Advisory· Published Dec 22, 2025· Updated Dec 22, 2025

Hasura GraphQL 1.3.3 Server-Side Request Forgery via Remote Schema Injection

CVE-2021-47715

Description

Hasura GraphQL 1.3.3 contains a server-side request forgery vulnerability that allows attackers to inject arbitrary remote schema URLs through the add_remote_schema endpoint. Attackers can exploit the vulnerability by sending crafted POST requests to the /v1/query endpoint with malicious URL definitions to potentially access internal network resources.

Affected products

Hasura/Graphql EngineOSV
Range: v1.0.0-alpha0, v1.0.0-alpha01, v1.0.0-alpha02, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/49791mitreexploit
www.vulncheck.com/advisories/hasura-graphql-server-side-request-forgery-via-remote-schema-injectionmitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000