Miggo Logo
Miggo Vulnerability Database
CVE-2023-49559

CVE-2023-49559: gqlparser denial of service vulnerability via the parserDirectives function

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-49559
GHSA ID
GHSA-2hmf-46v7-v6fx
EPSS Score
0.19423%
CWE
CWE-400
Published
6/12/2024
Updated
12/3/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/vektah/gqlparser/v2go< 2.5.142.5.14
github.com/vektah/gqlparsergo< 2.5.142.5.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing token limits in directive parsing. The original ParseQuery function set maxTokenLimit=0 (unlimited), making it the entry point for attacks. The parseDirectives function (line 316 in query.go) processes directives recursively without resource constraints when called through this unlimited parser. The fix introduced ParseQueryWithTokenLimit to enforce limits, confirming the original ParseQuery was vulnerable. Both functions work together to enable the DoS by allowing unbounded token processing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* in v*kt** *qlp*rs*r op*n-sour**-li*r*ry v.*.*.** *llows * r*mot* *tt**k*r to **us* * **ni*l o* s*rvi** vi* * *r**t** s*ript to t** p*rs*r*ir**tiv*s *un*tion.

Reasoning

T** vuln*r**ility st*ms *rom missin* tok*n limits in *ir**tiv* p*rsin*. T** ori*in*l `P*rs*Qu*ry` *un*tion s*t m*xTok*nLimit=* (unlimit**), m*kin* it t** *ntry point *or *tt**ks. T** `p*rs**ir**tiv*s` *un*tion (lin* *** in `qu*ry.*o`) pro**ss*s *ir**