CVE-2023-50730 – Grackle GraphQL server versions before 0.18.0 c... (How to Fix)

Q: What is the severity of CVE-2023-50730?

CVE-2023-50730 has a CVSS score of 7.5 (HIGH). Grackle GraphQL server versions before 0.18.0 contain two stack overflow vulnerabilities. Attackers can craft malicious GraphQL queries with cyclic fragments or deep nesting to cause denial of service via JVM StackOverflowError. All applications using vulnerable Grackle versions with untrusted user input are affected.

📋 TL;DR

Grackle GraphQL server versions before 0.18.0 contain two stack overflow vulnerabilities. Attackers can craft malicious GraphQL queries with cyclic fragments or deep nesting to cause denial of service via JVM StackOverflowError. All applications using vulnerable Grackle versions with untrusted user input are affected.

💻 Affected Systems

Products:

Grackle GraphQL server

Versions: All versions before 0.18.0

Operating Systems: All platforms running JVM

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using vulnerable Grackle versions. Requires GraphQL endpoint exposure to untrusted users.

📦 What is this software?

Grackle by Typelevel

View all CVEs affecting Grackle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to JVM crashes from stack overflow errors, requiring application restart.

🟠

Likely Case

Denial of service through resource exhaustion, causing service degradation or temporary unavailability.

🟢

If Mitigated

No impact if patched or proper input validation/sanitization is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires minimal GraphQL knowledge. No authentication needed for parsing vulnerability; cyclic fragments require some schema knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.18.0

Vendor Advisory: https://github.com/typelevel/grackle/security/advisories/GHSA-g56x-7j6w-g8r8

Restart Required: Yes

Instructions:

1. Update Grackle dependency to version 0.18.0 or later. 2. Rebuild and redeploy application. 3. Restart service.

🔧 Temporary Workarounds

Input sanitization layer

all

Implement query validation/sanitization before passing to Grackle parser

🧯 If You Can't Patch

Implement WAF rules to block queries with excessive nesting depth
Rate limit GraphQL endpoints and implement query complexity analysis

🔍 How to Verify

Check if Vulnerable:

Check Grackle version in build configuration (build.sbt, pom.xml, etc.) for versions <0.18.0

Check Version:

Check build configuration files or run application with dependency listing

Verify Fix Applied:

Confirm Grackle version 0.18.0+ in dependencies and test with known malicious queries

📡 Detection & Monitoring

Log Indicators:

StackOverflowError in JVM logs
GraphQL parsing failures
Unusual query patterns with deep nesting

Network Indicators:

Large GraphQL queries with repetitive patterns
Rapid query attempts to same endpoint

SIEM Query:

source="application.logs" AND ("StackOverflowError" OR "GraphQL parsing error")

📊 Metadata

CVE ID: CVE-2023-50730

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: December 22, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/typelevel/grackle/commit/56e244b91659cf385df590fc6c46695b6f36cbfd Patch
https://github.com/typelevel/grackle/releases/tag/v0.18.0 Release Notes
https://github.com/typelevel/grackle/security/advisories/GHSA-g56x-7j6w-g8r8 Vendor Advisory
https://github.com/typelevel/grackle/commit/56e244b91659cf385df590fc6c46695b6f36cbfd Patch
https://github.com/typelevel/grackle/releases/tag/v0.18.0 Release Notes
https://github.com/typelevel/grackle/security/advisories/GHSA-g56x-7j6w-g8r8 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50730, you might also want to check these: