CVE-2021-47748 Overview
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality.
Critical Impact
This vulnerability enables unauthenticated remote attackers to execute arbitrary system commands on the underlying server, potentially leading to complete system compromise, data exfiltration, and lateral movement within the network.
Affected Products
- Hasura GraphQL Engine version 1.3.3
Discovery Timeline
- 2026-01-21 - CVE CVE-2021-47748 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2021-47748
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw exists in how Hasura GraphQL Engine version 1.3.3 processes SQL queries through its run_sql administrative endpoint.
The vulnerability stems from insufficient input validation when handling GraphQL requests that interact with the underlying PostgreSQL database. An attacker can leverage PostgreSQL's COPY FROM PROGRAM functionality, which allows executing arbitrary shell commands as the database user. By crafting specially designed GraphQL queries targeting the run_sql endpoint, attackers can break out of the SQL context and execute system-level commands on the host server.
The network-accessible nature of this vulnerability, combined with no authentication requirements and low attack complexity, makes it particularly dangerous for exposed Hasura GraphQL instances.
Root Cause
The root cause of this vulnerability lies in the improper sanitization of user-supplied input within the run_sql endpoint. Hasura GraphQL Engine fails to adequately validate or escape SQL statements before passing them to the PostgreSQL backend. This allows attackers to inject malicious SQL that leverages PostgreSQL's COPY FROM PROGRAM feature, which is designed to execute shell commands and import their output into database tables.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends a crafted GraphQL mutation to the run_sql endpoint containing malicious SQL that exploits PostgreSQL's command execution capabilities. The attack flow involves:
- Identifying an exposed Hasura GraphQL endpoint
- Crafting a GraphQL mutation targeting the run_sql administrative endpoint
- Embedding PostgreSQL COPY FROM PROGRAM syntax within the SQL payload
- The payload executes arbitrary shell commands with the privileges of the PostgreSQL process
The vulnerability allows complete command execution through the abuse of PostgreSQL's COPY FROM PROGRAM functionality. Attackers craft malicious GraphQL queries containing SQL statements that leverage this PostgreSQL feature to execute arbitrary system commands. Technical details and proof-of-concept information can be found in the Exploit-DB #49802 entry.
Detection Methods for CVE-2021-47748
Indicators of Compromise
- Unusual GraphQL queries targeting the run_sql endpoint with COPY FROM PROGRAM syntax
- Unexpected outbound network connections from PostgreSQL or Hasura processes
- Anomalous process spawning from the PostgreSQL service account
- Log entries showing SQL statements containing shell command syntax
Detection Strategies
- Monitor GraphQL query logs for requests to the run_sql endpoint containing suspicious SQL patterns
- Implement Web Application Firewall (WAF) rules to detect and block COPY FROM PROGRAM in request payloads
- Deploy network-level monitoring to detect command-and-control communications originating from database servers
- Enable detailed PostgreSQL logging to capture all SQL statements executed through the database
Monitoring Recommendations
- Configure alerting on any usage of PostgreSQL's COPY FROM PROGRAM functionality
- Monitor for unusual process creation by the PostgreSQL or Hasura service accounts
- Implement file integrity monitoring on critical system directories
- Review access logs for repeated or automated requests to GraphQL administrative endpoints
How to Mitigate CVE-2021-47748
Immediate Actions Required
- Upgrade Hasura GraphQL Engine to a patched version immediately
- Restrict network access to Hasura GraphQL administrative endpoints using firewall rules
- Implement authentication and authorization controls on the run_sql endpoint
- Review PostgreSQL logs for evidence of prior exploitation attempts
Patch Information
Organizations should upgrade to a patched version of Hasura GraphQL Engine. Consult the GitHub Hasura GraphQL Engine repository for the latest security releases and upgrade instructions. Additional vulnerability details are available from the VulnCheck Hasura Advisory.
Workarounds
- Disable or restrict access to the run_sql endpoint if not required for operations
- Implement network segmentation to isolate Hasura GraphQL instances from untrusted networks
- Configure PostgreSQL to revoke COPY FROM PROGRAM privileges from the Hasura database user
- Deploy a reverse proxy with request filtering to block malicious GraphQL patterns
# Configuration example - Restrict PostgreSQL COPY FROM PROGRAM
# In postgresql.conf, consider running as a restricted user
# Revoke superuser privileges from the Hasura database user
psql -c "ALTER USER hasura_user NOSUPERUSER;"
# Additionally, restrict network access to Hasura admin endpoints
# Example iptables rule to limit access to localhost only
iptables -A INPUT -p tcp --dport 8080 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
