Hasura GraphQL Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Hasura GraphQL version 1.3.3. This vulnerability allows attackers to overwhelm the service by sending malicious GraphQL queries that include excessive nested fields. Exploitation involves sending repeated requests with very long query strings, using multiple threads to consume server resources, which could potentially crash the GraphQL endpoint.

Impact

Exploitation of this vulnerability can lead to a significant degradation of server performance, causing the GraphQL endpoint to crash under the load of malicious queries.

Reproduction

The vulnerability can be reproduced by creating a table in the Hasura GraphQL database and inserting a row with a large amount of data. After this setup, a crafted GraphQL query can be sent that includes excessive nested fields, effectively using up server resources. This can be automated with a script that sends multiple such requests in parallel threads.