Birkir Prime Denial-of-Service Vulnerability in GraphQL Array-Based Query Batch Handler
Vulnerability
A denial-of-service vulnerability has been identified in Birkir Prime versions through 0.4.0.beta.0. The issue arises in the GraphQL Array Based Query Batch Handler, specifically within an unknown function of the file '/graphql'. This vulnerability allows remote attackers to disrupt service by sending an array of queries in a single HTTP request, which can lead to resource exhaustion. The vulnerability has been publicly disclosed, and a proof-of-concept exploit is available.
Impact
Exploitation of this vulnerability causes a denial-of-service condition, disrupting the application's availability by overwhelming it with excessive queries.
Reproduction
The vulnerability can be reproduced by sending a POST request to the '/graphql' endpoint with an array of query objects. Each query object should contain a simple query, such as one that requests the '__typename' field. This can be done using a tool like cURL, by specifying the appropriate headers and the payload containing the array of queries.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.