CVE-2023-28867 Overview
CVE-2023-28867 is a Denial of Service vulnerability in GraphQL Java (graphql-java) that allows attackers to cause stack consumption through crafted GraphQL queries. This vulnerability affects versions prior to 20.1, 19.4, 18.4, and 17.5, enabling unauthenticated remote attackers to exhaust server resources and render GraphQL endpoints unresponsive.
Critical Impact
Unauthenticated attackers can remotely crash GraphQL services by sending specially crafted queries that cause stack overflow through uncontrolled recursion, leading to complete service unavailability.
Affected Products
- GraphQL Java versions prior to 20.1
- GraphQL Java versions prior to 19.4
- GraphQL Java versions prior to 18.4
- GraphQL Java versions prior to 17.5
Discovery Timeline
- 2023-03-27 - CVE CVE-2023-28867 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-28867
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw exists in how GraphQL Java processes deeply nested or recursive query structures without adequate depth limitations. When a malicious query with excessive nesting is submitted to a vulnerable GraphQL endpoint, the parser recursively processes each level, consuming stack memory with each recursive call until the stack is exhausted.
The attack is particularly dangerous because it requires no authentication—any user who can reach a GraphQL endpoint can potentially exploit this vulnerability. The impact is limited to availability; there is no evidence of data confidentiality or integrity being affected.
Root Cause
The root cause stems from insufficient validation of query depth and complexity during GraphQL query parsing. GraphQL Java did not implement adequate controls to limit the recursion depth when processing nested query structures, allowing attackers to craft queries that trigger unbounded recursive processing.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can craft a GraphQL query with deeply nested fields or fragments that, when parsed by the vulnerable library, causes the Java Virtual Machine to exhaust its stack space. This results in a StackOverflowError that crashes the application or thread handling the request.
The attack involves sending malicious GraphQL queries to vulnerable endpoints. Attackers can leverage nested fragments, deeply nested field selections, or recursive query structures to trigger the stack consumption. Since GraphQL endpoints are commonly exposed to external networks for API access, this vulnerability presents a significant risk to internet-facing applications.
Detection Methods for CVE-2023-28867
Indicators of Compromise
- Application crashes or thread terminations with StackOverflowError exceptions in GraphQL processing components
- Unusual spikes in GraphQL request processing times or timeouts
- Log entries showing repeated java.lang.StackOverflowError in graphql-java related stack traces
- Memory and CPU utilization anomalies coinciding with GraphQL endpoint activity
Detection Strategies
- Monitor application logs for StackOverflowError exceptions originating from graphql-java packages
- Implement request logging to track unusually large or deeply nested GraphQL queries
- Deploy application performance monitoring (APM) to detect stack consumption patterns
- Use Web Application Firewall (WAF) rules to identify and block excessively nested GraphQL queries
Monitoring Recommendations
- Set up alerting for JVM stack overflow errors in GraphQL-handling threads
- Monitor GraphQL endpoint response times for anomalous latency patterns
- Track query complexity metrics if available in your GraphQL implementation
- Review access logs for patterns of repeated complex query submissions from single sources
How to Mitigate CVE-2023-28867
Immediate Actions Required
- Upgrade graphql-java to version 20.1, 19.4, 18.4, or 17.5 depending on your major version branch
- If immediate patching is not possible, implement query depth limiting at the application or gateway level
- Review GraphQL endpoint exposure and consider adding rate limiting
- Monitor for exploitation attempts while patch deployment is underway
Patch Information
The graphql-java maintainers have released patched versions addressing this vulnerability. The fix is detailed in the GitHub Pull Request #3112. Organizations should upgrade to the appropriate patched version based on their current major version:
- Version 20.1 for version 20.x users
- Version 19.4 for version 19.x users
- Version 18.4 for version 18.x users
- Version 17.5 for version 17.x users
Workarounds
- Implement GraphQL query depth limiting using MaxQueryDepthInstrumentation to restrict maximum query nesting levels
- Configure query complexity analysis to reject queries exceeding defined thresholds
- Deploy a reverse proxy or API gateway with GraphQL-aware query validation capabilities
- Consider implementing request timeouts to terminate long-running query processing
# Maven dependency update example for version 20.1
# Update your pom.xml graphql-java dependency:
# <dependency>
# <groupId>com.graphql-java</groupId>
# <artifactId>graphql-java</artifactId>
# <version>20.1</version>
# </dependency>
# Gradle dependency update example:
# implementation 'com.graphql-java:graphql-java:20.1'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
