Birkir Prime Denial-of-Service Vulnerability in GraphQL Field Handler
Vulnerability
A denial-of-service vulnerability has been identified in Birkir Prime versions through 0.4.0.beta.0. The issue arises in the GraphQL Field Handler component, specifically within an unknown function of the /graphql file. This vulnerability allows for the same fields to be requested multiple times in a single query, causing the server to execute the resolver for each repetition. This behavior amplifies database queries or computational tasks, leading to a denial-of-service condition. The vulnerability can be exploited remotely, and a proof-of-concept exploit is publicly available.
Impact
Exploitation of this vulnerability causes a denial-of-service condition, where the application becomes unresponsive or unavailable to users.
Reproduction
The vulnerability can be reproduced by sending a GraphQL query that requests the same field multiple times. This can be done using a GraphQL client or a tool like curl. The query should be crafted to include a field that the server's GraphQL implementation will resolve repeatedly, such as a field that returns database records or computational results. The server will process each request for the repeated field, leading to increased load and potential unavailability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.