CVE-2024-47614 – async-graphql before version 7.0.10 does not li... (How to Fix)

📋 TL;DR

async-graphql before version 7.0.10 does not limit the number of directives that can be applied to a single GraphQL field. This allows attackers to craft malicious GraphQL queries with excessive directives, potentially causing denial of service through resource exhaustion. Any Rust application using vulnerable versions of async-graphql is affected.

💻 Affected Systems

Products:

async-graphql

Versions: All versions before 7.0.10

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All async-graphql deployments using default configuration are vulnerable. No special configuration required for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU/memory exhaustion from malicious queries with thousands of directives, potentially affecting all users.

🟠

Likely Case

Performance degradation and intermittent service disruption from resource-intensive queries, impacting user experience.

🟢

If Mitigated

Minimal impact with proper query complexity limits, rate limiting, and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only the ability to send GraphQL queries, which is typically available to all users. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.10

Vendor Advisory: https://github.com/async-graphql/async-graphql/security/advisories/GHSA-5gc2-7c65-8fq8

Restart Required: Yes

Instructions:

1. Update Cargo.toml to specify async-graphql >= 7.0.10
2. Run 'cargo update'
3. Rebuild and redeploy your application
4. Restart the service

🔧 Temporary Workarounds

Implement Query Complexity Limits

all

Add query complexity analysis to reject queries with excessive directives before processing

Rate Limiting

all

Implement request rate limiting to prevent mass exploitation

🧯 If You Can't Patch

Implement WAF rules to block GraphQL queries with suspicious directive patterns
Deploy query depth/complexity limits at API gateway or reverse proxy layer

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or Cargo.toml for async-graphql version. If version < 7.0.10, you are vulnerable.

Check Version:

grep async-graphql Cargo.lock

Verify Fix Applied:

Verify async-graphql version is >= 7.0.10 in Cargo.lock after update

📡 Detection & Monitoring

Log Indicators:

Unusually long GraphQL query processing times
High CPU/memory usage spikes
GraphQL queries with many @directive annotations

Network Indicators:

Large GraphQL query payloads
Repeated similar queries from single source

SIEM Query:

source="graphql_logs" AND (query_size > 10000 OR processing_time > 5000ms)

📊 Metadata

CVE ID: CVE-2024-47614

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: October 3, 2024

Last Updated: October 4, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47614, you might also want to check these: