Saleor E-Commerce Platform GraphQL Resource Exhaustion Vulnerability

A resource exhaustion vulnerability has been identified in the Saleor e-commerce platform, affecting versions 2.0.0 prior to 3.23.0a3, as well as 3.22.47, 3.21.54, and 3.20.118. The vulnerability allows a malicious actor to include multiple GraphQL mutations or queries in a single API call by using aliases or chaining multiple mutations. This exploitation leads to resource exhaustion on the server.

Impact

Exploitation of this vulnerability can cause significant resource exhaustion on the server, potentially leading to degraded performance or service availability.

Remediation

Users are advised to upgrade to Saleor versions 3.23.0a3, 3.22.47, 3.21.54, or 3.20.118. If an immediate upgrade is not possible, it is recommended to implement a live patch at the Web Application Firewall (WAF) level by limiting the size of the request body or by blocking GraphQL aliases and mutation chaining using regular expression-based WAF rules.