CVE-2023-28104 – This vulnerability in silverstripe/graphql allo... (How to Fix)

📋 TL;DR

This vulnerability in silverstripe/graphql allows attackers to execute denial-of-service attacks via specially crafted GraphQL queries. It primarily affects websites with publicly exposed GraphQL endpoints and complex schemas. Users of affected versions should upgrade immediately.

💻 Affected Systems

Products:

silverstripe/graphql

Versions: 4.2.2 and 4.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects sites with publicly exposed GraphQL endpoints. Impact increases with schema complexity.

📦 What is this software?

Graphql by Silverstripe

View all CVEs affecting Graphql →

Graphql by Silverstripe

View all CVEs affecting Graphql →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, potentially causing extended downtime and business disruption.

🟠

Likely Case

Temporary service degradation or intermittent outages affecting website functionality.

🟢

If Mitigated

Minimal impact with proper rate limiting, query complexity limits, and endpoint protection.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires only GraphQL endpoint access. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.3 or 4.1.2

Vendor Advisory: https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-67g8-c724-8mp3

Restart Required: Yes

Instructions:

1. Update composer.json to require silverstripe/graphql 4.2.3 or 4.1.2
2. Run composer update silverstripe/graphql
3. Clear Silverstripe cache
4. Restart web server

🔧 Temporary Workarounds

Restrict GraphQL endpoint access

all

Limit GraphQL endpoint to authenticated users or internal networks only

Implement query complexity limits

all

Add GraphQL query depth/complexity restrictions via middleware

🧯 If You Can't Patch

Implement strict rate limiting on GraphQL endpoints
Deploy WAF rules to detect and block suspicious GraphQL queries

🔍 How to Verify

Check if Vulnerable:

Check composer.lock or installed packages for silverstripe/graphql version 4.2.2 or 4.1.1

Check Version:

composer show silverstripe/graphql | grep versions

Verify Fix Applied:

Confirm silverstripe/graphql version is 4.2.3 or 4.1.2 in composer.lock

📡 Detection & Monitoring

Log Indicators:

Unusually large/complex GraphQL queries
Spike in server resource usage
Multiple failed queries from single IP

Network Indicators:

High volume of GraphQL requests
Large query payloads
Pattern of complex nested queries

SIEM Query:

source="web_logs" AND uri="/graphql" AND (query_size>10000 OR response_time>5000)

📊 Metadata

CVE ID: CVE-2023-28104

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: March 16, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/silverstripe/silverstripe-graphql/pull/526 Patch
https://github.com/silverstripe/silverstripe-graphql/releases/tag/4.1.2 Patch,Release Notes
https://github.com/silverstripe/silverstripe-graphql/releases/tag/4.2.3 Patch,Release Notes
https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-67g8-c724-8mp3 Vendor Advisory
https://github.com/silverstripe/silverstripe-graphql/pull/526 Patch
https://github.com/silverstripe/silverstripe-graphql/releases/tag/4.1.2 Patch,Release Notes
https://github.com/silverstripe/silverstripe-graphql/releases/tag/4.2.3 Patch,Release Notes
https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-67g8-c724-8mp3 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28104, you might also want to check these: