CVE-2023-50730: Grackle has StackOverflowError in GraphQL query processing

December 18, 2023

Impact

Prior to this fix, the GraphQL query parsing was vulnerable to StackOverflowErrors. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability.

This potentially affects all applications using Grackle which have untrusted users.

[!CAUTION] No specific knowledge of an application’s GraphQL schema would be required to construct a pathological query.

Patches

The stack overflow issues have been resolved in the v0.18.0 release of Grackle.

Workarounds

Users could interpose a sanitizing layer in between untrusted input and Grackle query processing.

References

github.com/advisories/GHSA-g56x-7j6w-g8r8
github.com/typelevel/grackle/commit/56e244b91659cf385df590fc6c46695b6f36cbfd
github.com/typelevel/grackle/releases/tag/v0.18.0
github.com/typelevel/grackle/security/advisories/GHSA-g56x-7j6w-g8r8

Code Behaviors & Features

Detect and mitigate CVE-2023-50730 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →