Dgraph Pre-Authentication DQL Injection Vulnerability via Unvalidated NQuad Language Field

A critical vulnerability exists in Dgraph, an open-source distributed GraphQL database, prior to version 25.3.3. In the default configuration without Access Control Lists (ACL) enabled, an unauthenticated attacker can exploit this vulnerability to gain full read access to all data in the database. The exploitation involves sending two HTTP POST requests to port 8080. The first request, made to the '/alter' endpoint, sets up a schema predicate with specific directives, including language tags, and is also unauthenticated by default. The second request, sent to the '/mutate?commitNow=true' endpoint, includes a crafted JSON mutation that exploits the unvalidated language tag of the predicate to inject malicious Data Query Language (DQL) payloads. This injection bypasses authentication and authorization checks, allowing the attacker to execute arbitrary queries that exfiltrate sensitive data from the database.

Impact

Successful exploitation of this vulnerability allows for unauthorized database access, enabling attackers to read all data, including sensitive information such as user secrets and AWS credentials. Additionally, the vulnerability could be exploited to manipulate database contents, as the injection payload is carried within a mutation that writes data.

Reproduction

The vulnerability can be reproduced by first creating a predicate in the database schema with unique, exact index, and language attributes. This can be done via an unauthenticated POST request to the '/alter' endpoint. After the schema is set, another POST request can be sent to the '/mutate?commitNow=true' endpoint. This request should include a JSON mutation that exploits the language field of the predicate by injecting a DQL payload, such as a query that leaks data from the database. The injection takes advantage of the fact that the language field is not properly validated before being used in a query, allowing the attacker to execute arbitrary queries and exfiltrate data.

Remediation

Users can upgrade to Dgraph version 25.3.3 or later, where this vulnerability has been fixed.