Description
Grackle is a GraphQL server written in functional Scala, built on the Typelevel stack. The GraphQL specification requires that GraphQL fragments must not form cycles, either directly or indirectly. Prior to Grackle version 0.18.0, that requirement wasn't checked, and queries with cyclic fragments would have been accepted for type checking and compilation. The attempted compilation of such fragments would result in a JVM `StackOverflowError` being thrown. Some knowledge of an applications GraphQL schema would be required to construct such a query, however no knowledge of any application-specific performance or other behavioural characteristics would be needed. Grackle uses the cats-parse library for parsing GraphQL queries. Prior to version 0.18.0, Grackle made use of the cats-parse `recursive` operator. However, `recursive` is not currently stack safe. `recursive` was used in three places in the parser: nested selection sets, nested input values (lists and objects), and nested list type declarations. Consequently, queries with deeply nested selection sets, input values or list types could be constructed which exploited this, causing a JVM `StackOverflowException` to be thrown during parsing. Because this happens very early in query processing, no specific knowledge of an applications GraphQL schema would be required to construct such a query. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability. This potentially affects all applications using Grackle which have untrusted users. Both stack overflow issues have been resolved in the v0.18.0 release of Grackle. As a workaround, users could interpose a sanitizing layer in between untrusted input and Grackle query processing.
Remediation
References
https://github.com/typelevel/grackle/security/advisories/GHSA-g56x-7j6w-g8r8
https://github.com/typelevel/grackle/commit/56e244b91659cf385df590fc6c46695b6f36cbfd
https://github.com/typelevel/grackle/releases/tag/v0.18.0
Related Vulnerabilities
CVE-2021-32050 Vulnerability in maven package org.webjars.npm:mongodb
CVE-2023-26136 Vulnerability in npm package tough-cookie
CVE-2020-6457 Vulnerability in maven package org.webjars.npm:electron
CVE-2022-45382 Vulnerability in maven package org.jenkins-ci.plugins:naginator
CVE-2021-28655 Vulnerability in maven package org.apache.zeppelin:zeppelin