Saleor GraphQL Unbounded Query Batching Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Saleor, an e-commerce platform, affecting versions 2.0.0 prior to 3.23.0a3, as well as 3.22.47, 3.21.54, and 3.20.118. The issue arises from the platform's support for query batching, which allows multiple GraphQL operations to be submitted in a single HTTP request as a JSON array. However, Saleor did not enforce a limit on the number of operations, enabling an unauthenticated attacker to send requests with excessive operations. This bypassed the per-query complexity limit and exhausted server resources, including CPU, memory, and database connections, while blocking asynchronous workers.

Impact

Exhaustion of the server's CPU, memory, and database connections, causing blocked asynchronous workers and disrupted service.

Reproduction

The vulnerability can be reproduced by sending a single HTTP request that includes a large number of GraphQL operations in the JSON body. This can be done using a GraphQL client or a tool like Postman, by creating a batch query that exceeds the server's processing limits. The absence of a proper alias or mutation count limit in the default configuration allows this exploitation to occur.

Remediation

Users are advised to upgrade to Saleor versions 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118. If an immediate upgrade is not possible, it is recommended to implement a live patch at the Web Application Firewall (WAF) level by limiting the size of the request body, restricting the number of items in JSON arrays, or blocking arrays in JSON bodies altogether.