CVE-2024-40094 Overview
CVE-2024-40094 is a Denial of Service vulnerability in GraphQL Java (graphql-java) that affects versions prior to 21.5, with fix releases also available for the 20.x and 19.x branches. The vulnerability stems from improper handling of ExecutableNormalizedFields (ENFs) during introspection query processing, which can allow attackers to exhaust server resources.
Critical Impact
Attackers can exploit improperly handled introspection queries to cause resource exhaustion and denial of service conditions in applications using vulnerable versions of graphql-java.
Affected Products
- GraphQL Java versions before 21.5
- GraphQL Java versions before 20.9 (in 20.x branch)
- GraphQL Java versions before 19.11 (in 19.x branch)
Discovery Timeline
- 2024-07-30 - CVE-2024-40094 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-40094
Vulnerability Analysis
This vulnerability affects the introspection query handling mechanism in GraphQL Java. The core issue lies in how ExecutableNormalizedFields (ENFs) are processed during query execution. GraphQL introspection queries allow clients to discover the schema of a GraphQL API, but without proper limits on ENF processing, maliciously crafted introspection queries can cause excessive computational overhead.
The vulnerability exists because the library did not properly account for ENF counts when implementing denial of service protections. An attacker can craft introspection queries that generate an abnormally high number of ExecutableNormalizedFields, leading to resource exhaustion on the server side.
Root Cause
The root cause is the missing enforcement of operation field count and depth limits during the creation of ExecutableNormalizedOperation objects. The vulnerable code path in ExecutableNormalizedOperationFactory.createExecutableNormalizedOperation() allowed unbounded ENF generation without proper validation or limiting mechanisms.
Attack Vector
The attack is network-based and can be executed by unauthenticated remote attackers. An attacker sends specially crafted GraphQL introspection queries to a vulnerable endpoint. These queries are designed to maximize the number of ExecutableNormalizedFields generated during query normalization, consuming excessive CPU and memory resources.
The security patch introduces operationFieldCount and operationDepth tracking to the ExecutableNormalizedOperation class:
private final Map<ExecutableNormalizedField, MergedField> normalizedFieldToMergedField;
private final Map<ExecutableNormalizedField, QueryDirectives> normalizedFieldToQueryDirectives;
private final ImmutableListMultimap<FieldCoordinates, ExecutableNormalizedField> coordinatesToNormalizedFields;
+ private final int operationFieldCount;
+ private final int operationDepth;
public ExecutableNormalizedOperation(
OperationDefinition.Operation operation,
Source: GitHub Commit Details
Detection Methods for CVE-2024-40094
Indicators of Compromise
- Unusual spikes in CPU or memory usage on servers hosting GraphQL endpoints
- High volume of introspection queries (__schema, __type) from single sources
- Abnormally long query execution times for introspection requests
- Application timeouts or out-of-memory errors during GraphQL query processing
Detection Strategies
- Monitor GraphQL endpoint logs for patterns of repeated introspection queries
- Implement query complexity analysis to detect queries with excessive field counts
- Set up alerting for abnormal resource consumption on GraphQL service instances
- Review application dependencies to identify vulnerable graphql-java versions
Monitoring Recommendations
- Configure application performance monitoring (APM) to track GraphQL query execution metrics
- Implement rate limiting on introspection endpoints to detect abuse patterns
- Enable detailed logging for GraphQL query parsing and normalization phases
- Monitor JVM heap usage and garbage collection metrics for Java applications using graphql-java
How to Mitigate CVE-2024-40094
Immediate Actions Required
- Upgrade graphql-java to version 21.5 or later immediately
- For applications on 20.x branch, upgrade to version 20.9
- For applications on 19.x branch, upgrade to version 19.11
- Review and disable introspection queries in production if not required
Patch Information
The graphql-java maintainers have released patched versions across multiple supported branches. The fix was implemented in Pull Request #3539 and adds proper tracking and limiting of ExecutableNormalizedFields during query processing.
Fixed versions are available:
For additional context, see the GitHub Discussion Thread.
Workarounds
- Disable GraphQL introspection in production environments where schema discovery is not needed
- Implement query depth limiting at the application level to restrict query complexity
- Deploy a Web Application Firewall (WAF) with rules to detect and block malicious GraphQL queries
- Apply rate limiting specifically to GraphQL introspection endpoints
# Maven dependency update example
# Update pom.xml to use fixed version:
# <dependency>
# <groupId>com.graphql-java</groupId>
# <artifactId>graphql-java</artifactId>
# <version>21.5</version>
# </dependency>
# Gradle dependency update:
# implementation 'com.graphql-java:graphql-java:21.5'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
