CVE-2023-42319
Description
Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Geth through 1.13.4 with --http --graphql enabled is vulnerable to denial of service via crafted GraphQL queries that cause memory exhaustion and daemon hang.
Vulnerability
Description
Geth (go-ethereum) versions through 1.13.4, when the --http --graphql flags are used, expose a GraphQL endpoint that is susceptible to denial of service attacks. The root cause is that the GraphQL implementation allows batch requests with aliases, enabling an attacker to submit multiple queries within a single HTTP request [2]. Each alias is processed individually, leading to resource exhaustion as the server attempts to execute a large number of operations simultaneously [3]. The vendor acknowledges that the GraphQL endpoint is not designed to withstand hostile clients or handle traffic from untrusted sources [4].
Exploitation
An unauthenticated remote attacker can craft an HTTP request containing numerous aliased GraphQL queries, such as repeatedly querying for block numbers. Since no authentication or rate limiting is enforced by default, a single request can trigger hundreds or thousands of internal operations, consuming excessive CPU and memory on the target node [2]. The attacker does not need any special network position beyond being able to reach the exposed HTTP port (typically 8545).
Impact
Successful exploitation results in a denial of service condition, characterized by memory exhaustion and the Geth daemon hanging or becoming unresponsive. This can disrupt the node's ability to process transactions, maintain synchronization with the Ethereum network, or serve legitimate client requests [3]. In extreme cases, the node may crash due to out-of-memory errors, requiring manual intervention to restart.
Mitigation
As of the CVE publication date (October 2023), the vulnerability remains unpatched in Geth 1.13.4. The recommended mitigation is to avoid exposing the GraphQL endpoint to untrusted networks, as advised by the vendor [4]. Users should restrict access to the JSON-RPC and GraphQL ports (e.g., 8545) via firewall rules, and consider using a reverse proxy with rate limiting and request filtering if public access is necessary. Additionally, disabling the GraphQL endpoint entirely (--graphql flag omitted) eliminates the attack surface.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ethereum/go-ethereumGo | <= 1.13.4 | — |
Affected products
2- Geth/go-ethereumdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.