CVE-2023-28867 – CVE-2023-28867 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-28867?

CVE-2023-28867 has a CVSS score of 7.5 (HIGH). CVE-2023-28867 is a denial-of-service vulnerability in GraphQL Java (graphql-java) where an attacker can send a specially crafted GraphQL query that causes excessive stack consumption, potentially crashing the application. This affects all applications using vulnerable versions of graphql-java. The vulnerability allows unauthenticated attackers to disrupt service availability.

📋 TL;DR

CVE-2023-28867 is a denial-of-service vulnerability in GraphQL Java (graphql-java) where an attacker can send a specially crafted GraphQL query that causes excessive stack consumption, potentially crashing the application. This affects all applications using vulnerable versions of graphql-java. The vulnerability allows unauthenticated attackers to disrupt service availability.

💻 Affected Systems

Products:

GraphQL Java (graphql-java)

Versions: All versions before 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135

Operating Systems: All operating systems running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: Any Java application using vulnerable graphql-java library versions is affected regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage through application crash, requiring manual restart and potentially causing data loss or service disruption.

🟠

Likely Case

Temporary denial of service affecting application availability until the process is restarted or the malicious query stops.

🟢

If Mitigated

Minimal impact with proper query depth limiting, rate limiting, and input validation in place.

🌐 Internet-Facing: HIGH - GraphQL endpoints are typically exposed to users and attackers can exploit this without authentication.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but attack surface is reduced compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a malicious GraphQL query, which is straightforward for attackers familiar with GraphQL. No authentication is required if GraphQL endpoint is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 20.1, 19.4, 18.4, 17.5, or 0.0.0-2023-03-20T01-49-44-80e3135

Vendor Advisory: https://github.com/graphql-java/graphql-java/releases

Restart Required: Yes

Instructions:

1. Identify graphql-java version in your project. 2. Update dependency to patched version (20.1, 19.4, 18.4, or 17.5 depending on your compatibility). 3. Rebuild and redeploy application. 4. Restart application services.

🔧 Temporary Workarounds

Implement Query Depth Limiting

all

Configure GraphQL server to limit maximum query depth to prevent deep nesting attacks

// Example for graphql-java: Use MaxQueryDepthInstrumentation or similar depth limiting

Implement Query Complexity Analysis

all

Add complexity analysis to reject queries that exceed configured complexity thresholds

// Use MaxQueryComplexityInstrumentation or custom complexity analysis

🧯 If You Can't Patch

Implement WAF rules to block suspicious GraphQL queries with excessive nesting
Deploy rate limiting on GraphQL endpoints to limit impact of DoS attempts

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency file (pom.xml, build.gradle, etc.) for graphql-java version. If version is below 20.1, 19.4, 18.4, or 17.5, you are vulnerable.

Check Version:

For Maven: mvn dependency:tree | grep graphql-java; For Gradle: gradle dependencies | grep graphql-java

Verify Fix Applied:

After updating, verify the graphql-java version in your dependency file matches one of the patched versions and test that deep nested queries are properly rejected.

📡 Detection & Monitoring

Log Indicators:

Stack overflow errors in application logs
Abnormally large GraphQL query payloads
Sudden application crashes with stack-related errors

Network Indicators:

Large GraphQL queries with deep nesting patterns
Repeated GraphQL queries from single source

SIEM Query:

source="application.logs" AND ("StackOverflowError" OR "java.lang.StackOverflowError") AND "graphql"

📊 Metadata

CVE ID: CVE-2023-28867

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: March 27, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/graphql-java/graphql-java/pull/3112 Issue Tracking,Patch
https://github.com/graphql-java/graphql-java/releases/tag/v17.5 Release Notes
https://github.com/graphql-java/graphql-java/releases/tag/v18.4 Release Notes
https://github.com/graphql-java/graphql-java/releases/tag/v19.4 Release Notes
https://github.com/graphql-java/graphql-java/releases/tag/v20.1 Release Notes
https://github.com/graphql-java/graphql-java/pull/3112 Issue Tracking,Patch
https://github.com/graphql-java/graphql-java/releases/tag/v17.5 Release Notes
https://github.com/graphql-java/graphql-java/releases/tag/v18.4 Release Notes
https://github.com/graphql-java/graphql-java/releases/tag/v19.4 Release Notes
https://github.com/graphql-java/graphql-java/releases/tag/v20.1 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28867, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Graphql Java by Graphql Java

Graphql Java by Graphql Java

Graphql Java by Graphql Java

Graphql Java by Graphql Java

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Implement Query Depth Limiting

Implement Query Complexity Analysis

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities