VYPR
High severityNVD Advisory· Published Dec 22, 2023· Updated Aug 2, 2024

Grackle has StackOverflowError in GraphQL query processing

CVE-2023-50730

Description

Grackle is a GraphQL server written in functional Scala, built on the Typelevel stack. The GraphQL specification requires that GraphQL fragments must not form cycles, either directly or indirectly. Prior to Grackle version 0.18.0, that requirement wasn't checked, and queries with cyclic fragments would have been accepted for type checking and compilation. The attempted compilation of such fragments would result in a JVM StackOverflowError being thrown. Some knowledge of an applications GraphQL schema would be required to construct such a query, however no knowledge of any application-specific performance or other behavioural characteristics would be needed.

Grackle uses the cats-parse library for parsing GraphQL queries. Prior to version 0.18.0, Grackle made use of the cats-parse recursive operator. However, recursive is not currently stack safe. recursive was used in three places in the parser: nested selection sets, nested input values (lists and objects), and nested list type declarations. Consequently, queries with deeply nested selection sets, input values or list types could be constructed which exploited this, causing a JVM StackOverflowException to be thrown during parsing. Because this happens very early in query processing, no specific knowledge of an applications GraphQL schema would be required to construct such a query.

The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability. This potentially affects all applications using Grackle which have untrusted users. Both stack overflow issues have been resolved in the v0.18.0 release of Grackle. As a workaround, users could interpose a sanitizing layer in between untrusted input and Grackle query processing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.typelevel:grackle-core_2.13Maven
< 0.18.00.18.0
org.typelevel:grackle-core_3Maven
< 0.18.00.18.0
org.typelevel:grackle-core_sjs1_2.13Maven
< 0.18.00.18.0
org.typelevel:grackle-core_sjs1_3Maven
< 0.18.00.18.0
org.typelevel:grackle-core_native0.4_2.13Maven
< 0.18.00.18.0
org.typelevel:grackle-core_native0.4_3Maven
< 0.18.00.18.0
edu.gemini:gsp-graphql-core_2.13Maven
<= 0.14.0
edu.gemini:gsp-graphql-core_3Maven
<= 0.14.0
edu.gemini:gsp-graphql-core_sjs1_2.13Maven
<= 0.14.0
edu.gemini:gsp-graphql-core_sjs1_3Maven
<= 0.14.0
edu.gemini:gsp-graphql-core_native0.4_2.13Maven
<= 0.14.0
edu.gemini:gsp-graphql-core_native0.4_3Maven
<= 0.14.0

Affected products

13

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.