Silverstripe GraphQL Recursive Query Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the Silverstripe GraphQL package, versions 3.0.0 prior to 3.8.2, 4.0.0 prior to 4.1.3, 4.2.0 prior to 4.2.5, 4.3.0 prior to 4.3.4, and 5.0.0 prior to 5.0.3. This vulnerability allows an attacker to execute a distributed denial-of-service (DDoS) attack by using a recursive GraphQL query, which can overwhelm a website's server resources. The issue primarily affects sites with publicly exposed GraphQL schemas. For projects that do not expose a public GraphQL schema, a user account is required to trigger the DDoS attack. Additionally, if the site is behind a content delivery network (CDN) like Imperva or CloudFlare, the risk may be further mitigated.

Impact

Exploitation of this vulnerability can lead to a significant degradation of server performance, causing a denial-of-service condition where legitimate users experience slowdowns or are unable to access the site altogether.

Reproduction

To reproduce this vulnerability, send a recursive GraphQL query to a public endpoint that uses an affected version of the Silverstripe GraphQL package. If the site does not expose a public GraphQL schema, log in with a user account and send the query. The server will become overwhelmed, causing a denial-of-service condition.

Remediation

Upgrade to Silverstripe GraphQL versions 3.8.2, 4.1.3, 4.2.5, 4.3.4, or 5.0.3. After upgrading, review the new configuration options available in these versions to ensure your project's GraphQL schema is properly secured against recursive or complex queries.