Description
Grackle is a GraphQL server written in functional Scala, built on the Typelevel stack. The GraphQL specification requires that GraphQL fragments must not form cycles, either directly or indirectly. Prior to Grackle version 0.18.0, that requirement wasn't checked, and queries with cyclic fragments would have been accepted for type checking and compilation. The attempted compilation of such fragments would result in a JVM `StackOverflowError` being thrown. Some knowledge of an applications GraphQL schema would be required to construct such a query, however no knowledge of any application-specific performance or other behavioural characteristics would be needed. Grackle uses the cats-parse library for parsing GraphQL queries. Prior to version 0.18.0, Grackle made use of the cats-parse `recursive` operator. However, `recursive` is not currently stack safe. `recursive` was used in three places in the parser: nested selection sets, nested input values (lists and objects), and nested list type declarations. Consequently, queries with deeply nested selection sets, input values or list types could be constructed which exploited this, causing a JVM `StackOverflowException` to be thrown during parsing. Because this happens very early in query processing, no specific knowledge of an applications GraphQL schema would be required to construct such a query. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability. This potentially affects all applications using Grackle which have untrusted users. Both stack overflow issues have been resolved in the v0.18.0 release of Grackle. As a workaround, users could interpose a sanitizing layer in between untrusted input and Grackle query processing.
Remediation
References
https://github.com/typelevel/grackle/security/advisories/GHSA-g56x-7j6w-g8r8
https://github.com/typelevel/grackle/commit/56e244b91659cf385df590fc6c46695b6f36cbfd
https://github.com/typelevel/grackle/releases/tag/v0.18.0
Related Vulnerabilities
CVE-2020-16041 Vulnerability in maven package org.webjars.npm:electron
CVE-2023-33950 Vulnerability in maven package com.liferay.portal:release.portal.bom
CVE-2017-15691 Vulnerability in maven package org.apache.uima:uimaj-examples
CVE-2017-15686 Vulnerability in maven package org.craftercms:crafter-studio
CVE-2022-46687 Vulnerability in maven package io.jenkins.plugins:spring-config