CVE-2021-47714
📋 TL;DR
CVE-2021-47714 is a local file read vulnerability in Hasura GraphQL Engine 1.3.3, allowing attackers to exploit SQL injection via the query endpoint to access arbitrary system files using PostgreSQL's pg_read_file() function. This affects organizations running vulnerable versions of Hasura GraphQL Engine, potentially exposing sensitive server data.
💻 Affected Systems
- Hasura GraphQL Engine
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read critical system files like /etc/passwd, configuration files, or sensitive application data, leading to data breaches, privilege escalation, or further attacks.
Likely Case
Attackers may read accessible files on the server, such as configuration files or logs, compromising sensitive information and enabling reconnaissance for additional exploits.
If Mitigated
With proper input validation, file permissions, and network segmentation, impact is limited to unauthorized file reads within restricted directories, reducing data exposure.
🎯 Exploit Status
Exploitation involves crafting malicious SQL queries to trigger the pg_read_file() function, with public proof-of-concept code available, making it accessible to attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.4 or later
Vendor Advisory: https://github.com/hasura/graphql-engine
Restart Required: Yes
Instructions:
1. Update Hasura GraphQL Engine to version 1.3.4 or higher. 2. Restart the Hasura service to apply the patch. 3. Verify the update by checking the version in the admin console or logs.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation and sanitization for GraphQL queries to block SQL injection attempts.
Configure Hasura to use allow-lists for queries or implement custom middleware to validate inputs.
Restrict File Permissions
linuxLimit PostgreSQL user permissions to prevent execution of pg_read_file() on sensitive directories.
ALTER ROLE hasura_user NOSUPERUSER;
REVOKE EXECUTE ON FUNCTION pg_read_file FROM hasura_user;
🧯 If You Can't Patch
- Implement network-level controls such as firewalls to restrict access to the Hasura query endpoint from untrusted sources.
- Monitor and audit logs for unusual SQL query patterns or file access attempts to detect exploitation early.
🔍 How to Verify
Check if Vulnerable:
Check the Hasura GraphQL Engine version; if it is 1.3.3, it is vulnerable. Use: docker inspect hasura/graphql-engine | grep version or check the admin console.Check Version:
docker exec hasura_container hasura version or curl -X POST http://localhost:8080/v1/versionVerify Fix Applied:
After updating, confirm the version is 1.3.4 or later and test that malicious SQL queries no longer trigger file reads.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries containing pg_read_file() calls in Hasura logs
- Multiple failed query attempts or access to sensitive file paths in PostgreSQL logs
Network Indicators:
- Abnormal spikes in GraphQL query traffic to the query endpoint
- Requests with SQL injection patterns in payloads
SIEM Query:
source="hasura_logs" AND ("pg_read_file" OR "SQL injection")