CVE-2022-30288: Uncontrolled Resource Consumption

May 4, 2022 (updated November 7, 2023)

Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server’s responsibility to “enforce all the various ways a developer could write code with logic errors.

References

github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/agoo.md
github.com/ohler55/agoo/issues/109
nvd.nist.gov/vuln/detail/CVE-2022-30288
spec.graphql.org/October2021/

Code Behaviors & Features

Detect and mitigate CVE-2022-30288 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →