CVE-2023-50730

Summary

CVE-2023-50730 is a vulnerability affecting Grackle, a GraphQL server written in functional Scala. Prior to version 0.18.0, Grackle did not enforce a GraphQL requirement that fragments must not form cycles, leading to acceptance of queries with cyclic fragments during type checking and compilation. This resulted in JVM StackOverflowErrors during parsing, particularly with queries having deeply nested selection sets, input values, or list types. The early occurrence of these errors means no specific knowledge of the application's GraphQL schema is necessary for exploitation, posing a potential denial of service risk for all applications using Grackle with untrusted users. The issues have been resolved in Grackle v0.18.0, and users can implement a sanitizing layer to mitigate the risk before query processing.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.