CVE-2021-47713 – CVE-2021-47713 is a denial of service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-47713?

CVE-2021-47713 has a CVSS score of 7.5 (HIGH). CVE-2021-47713 is a denial of service vulnerability in Hasura GraphQL Engine where attackers can craft malicious GraphQL queries with excessive nested fields to overwhelm server resources. This affects any Hasura GraphQL deployment exposed to untrusted users, potentially causing service outages and degraded performance.

📋 TL;DR

CVE-2021-47713 is a denial of service vulnerability in Hasura GraphQL Engine where attackers can craft malicious GraphQL queries with excessive nested fields to overwhelm server resources. This affects any Hasura GraphQL deployment exposed to untrusted users, potentially causing service outages and degraded performance.

💻 Affected Systems

Products:

Hasura GraphQL Engine

Versions: 1.3.3 and earlier versions

Operating Systems: All platforms running Hasura GraphQL Engine

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable as no query depth limiting is enabled by default.

📦 What is this software?

Graphql Engine by Hasura

View all CVEs affecting Graphql Engine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage with GraphQL endpoint crashing, making the application unavailable to legitimate users.

🟠

Likely Case

Severe performance degradation with high CPU/memory consumption leading to timeouts and failed requests.

🟢

If Mitigated

Minimal impact with rate limiting and query depth restrictions preventing resource exhaustion.

🌐 Internet-Facing: HIGH - Public GraphQL endpoints are directly accessible to attackers without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could still exploit the vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available and requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.4 and later

Vendor Advisory: https://github.com/hasura/graphql-engine/releases/tag/v1.3.4

Restart Required: Yes

Instructions:

1. Update Hasura GraphQL Engine to version 1.3.4 or later. 2. Restart the Hasura service. 3. Verify the update was successful by checking the version.

🔧 Temporary Workarounds

Enable Query Depth Limiting

all

Configure Hasura to limit maximum query depth to prevent deeply nested queries

Set HASURA_GRAPHQL_QUERY_DEPTH_LIMIT=10 in environment variables

Implement Rate Limiting

linux

Add rate limiting at the proxy/load balancer level to prevent repeated malicious requests

nginx: limit_req_zone $binary_remote_addr zone=hasura:10m rate=10r/s;
Add 'limit_req zone=hasura burst=20 nodelay;' to location block

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block queries with excessive nesting
Deploy reverse proxy with request size limits and timeout restrictions

🔍 How to Verify

Check if Vulnerable:

Check Hasura version: if running 1.3.3 or earlier, the system is vulnerable. Test with a deeply nested GraphQL query to see if it causes high resource usage.

Check Version:

Check Hasura logs or API endpoint for version information, or run: docker inspect hasura/graphql-engine | grep -i version

Verify Fix Applied:

After updating to 1.3.4+, attempt to send a deeply nested query - it should be rejected or limited. Monitor resource usage during test queries.

📡 Detection & Monitoring

Log Indicators:

Unusually large GraphQL query strings in logs
Multiple timeout errors from GraphQL endpoint
High CPU/memory usage spikes correlated with GraphQL requests

Network Indicators:

Large HTTP POST requests to /v1/graphql endpoint
High request rate from single IPs with similar query patterns
Increased error rate (5xx) from GraphQL service

SIEM Query:

source="hasura.logs" AND (query_size>10000 OR error="timeout" OR error="memory")

📊 Metadata

CVE ID: CVE-2021-47713

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.07% exploit probability (21.1th percentile)

Published: December 22, 2025

Last Updated: December 26, 2025

🔗 References

https://github.com/hasura/graphql-engine Product
https://www.exploit-db.com/exploits/49789 Exploit
https://www.vulncheck.com/advisories/hasura-graphql-denial-of-service-via-malicious-graphql-query Third Party Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47713, you might also want to check these: