Recursive Fragment¶

Description¶

This is a DoS vulnerability that allows an attacker with specifically designed queries to cause stack overflow panics. Any user with access to the GraphQL handler can send these queries and cause stack overflows. This in turn could potentially compromise the ability of the server to serve data to its users.

Remediation¶

Implement a maximum recursion limit.

GraphQL Specific¶

Apollo

To address potential issues within the Apollo framework engine, ensure that all dependencies are up-to-date, follow best practices for schema design, and implement proper error handling. Regularly review the Apollo documentation for updates on security practices and performance improvements. Additionally, consider using Apollo's built-in features for performance monitoring and query optimization to enhance the resilience and efficiency of your GraphQL implementation.

Yoga

To address issues within the Yoga framework engine, ensure that all components are updated to their latest versions to benefit from recent bug fixes and performance improvements. Regularly review the framework's documentation for best practices and utilize the community forums for support. Additionally, consider implementing error handling and logging mechanisms to monitor the system's health and quickly identify areas that require attention.

Awsappsync

To address potential issues with the AWS AppSync framework engine, ensure that you are using the latest version of the service which includes the most recent security patches and performance improvements. Regularly review your schema and resolvers to optimize performance and security. Implement proper authentication and authorization mechanisms to control access to your GraphQL API. Monitor your API usage and set up alerts for unusual patterns that could indicate a problem. Additionally, consider using AWS CloudFormation or the AWS Amplify CLI to manage and provision your AppSync resources in a more controlled and repeatable manner.

Graphqlgo

To address potential security vulnerabilities in the GraphQL Go framework engine, ensure that all user-supplied input is validated and sanitized. Implement proper error handling to avoid leaking sensitive information in error messages. Regularly update the framework to incorporate the latest security patches. Additionally, consider using query complexity analysis to prevent resource exhaustion attacks, and enforce authentication and authorization checks to control access to sensitive data.

Graphqlruby

In the GraphQL Ruby framework, to avoid issues with recursive fragments, ensure that your queries are structured in a way that prevents infinite loops. This can be achieved by defining a maximum depth for queries and using fragment definitions wisely. Utilize the `max_depth` option in your schema definition to limit the complexity of the queries and protect against potential denial-of-service attacks. Additionally, consider implementing analysis tools provided by the framework to detect and alert on recursive fragment usage before it affects your application's performance.

Hasura

To address potential issues with the Hasura framework engine, ensure that all GraphQL queries are constructed using parameterized statements to prevent injection attacks. Additionally, regularly update the Hasura engine to the latest version to incorporate security patches and performance improvements. Implement proper access control by configuring role-based permissions carefully, and review the security rules to ensure that sensitive data is protected. Monitor the Hasura logs for any unusual activity that could indicate a security breach or misconfiguration. By following these best practices, you can maintain a secure and efficient Hasura deployment.

Agoo

Update to the latest version of the Agoo framework where the stack overflow issue is patched, and implement query depth limiting to prevent excessively deep queries.

Ariadne

Upgrade to the latest version of the Ariadne framework, which includes patches for the Recursive Fragment DoS vulnerability, and implement query depth limiting to prevent stack overflow panics.

Caliban

Upgrade to the latest version of the Caliban framework, which includes fixes for the Recursive Fragment DoS vulnerability, and implement query depth limiting to prevent stack overflow panics.

Dgraph

Update to the latest version of Dgraph, which includes patches for the Recursive Fragment DoS vulnerability, and implement query depth limiting to prevent stack overflow panics from malicious queries.

Dianajl

Implement query depth limiting to prevent excessively deep or recursive queries in the dianajl framework engine.

Directus

Update Directus to the latest version and implement query depth limiting to prevent stack overflow from recursive queries.

Flutter

Update to the latest version of the Flutter framework to ensure all security patches are applied and consider implementing input validation to prevent malformed queries from causing stack overflow panics.

Graphene

Upgrade to the latest version of the Graphene framework to ensure all security patches are applied and consider implementing query depth limiting to prevent stack overflow from deeply nested queries.

Graphqlapiforwp

Update the graphqlapiforwp framework engine to the latest version, which includes patches for the Recursive Fragment DoS vulnerability, and implement query depth limiting to prevent stack overflow panics from malicious queries.

Graphqlgophergo

Implement query depth limiting and complexity analysis to prevent stack overflow panics in the graphqlgophergo framework engine.

Graphqljava

Implement query depth limiting and complexity analysis to prevent stack overflow panics in the graphql-java framework.

Graphqlphp

Implement query depth limiting and complexity analysis to prevent stack overflow panics in the graphqlphp framework.

Graphqlyoga

Upgrade to the latest version of the GraphQL Yoga framework, which includes patches for stack overflow vulnerabilities, and implement query depth limiting to prevent excessively deep queries.

Hypergraphql

Update to the latest version of the HyperGraphQL framework, which includes patches for the Recursive Fragment DoS vulnerability, and implement query depth limiting to prevent stack overflow panics.

Jaal

Update the Jaal framework engine to the latest version where the stack overflow vulnerability is patched, and implement query depth limiting to prevent excessively deep queries that could lead to stack overflows.

Juniper

Implement query depth limiting and validation to prevent stack overflow panics in the Juniper framework engine.

Lacinia

Upgrade to the latest version of the Lacinia framework, which includes patches for the Recursive Fragment DoS vulnerability, and implement query depth limiting to prevent stack overflow panics.

Lighthouse

Update the Lighthouse framework to the latest version where the recursive fragment vulnerability is patched, and implement query depth limiting to prevent stack overflow panics.

Mercurius

Upgrade to the latest version of the Mercurius framework, which includes patches for the Recursive Fragment DoS vulnerability, and implement query depth limiting to prevent stack overflow panics.

Morpheusgraphql

Update to the latest version of the Morpheus GraphQL framework engine, which includes patches for the Recursive Fragment DoS vulnerability, and implement query depth limiting to prevent stack overflow panics.

Qglgen

Update gqlgen to the latest version and implement query depth limiting to prevent stack overflow from recursive queries.

Sangria

Upgrade to the latest version of the Sangria framework to ensure protection against stack overflow vulnerabilities caused by recursive fragment queries.

Shopify

Update to the latest version of the Shopify framework engine to ensure all security patches are applied, and implement query depth limiting to prevent stack overflow from recursive queries.

Stepzen

Update to the latest version of the StepZen framework engine, which includes patches for the Recursive Fragment DoS vulnerability, and implement query depth limiting to prevent stack overflow panics.

Strawberry

Upgrade to the latest version of the Strawberry framework to ensure protection against stack overflow vulnerabilities caused by recursive fragment queries.

Tartiflette

Upgrade to the latest version of the Tartiflette framework, which includes patches for the Recursive Fragment DoS vulnerability, and implement query depth limiting to prevent stack overflow panics.

Wpgraphql

Update to the latest version of WPGraphQL to ensure all security patches are applied and consider implementing query depth limiting to prevent overly complex queries that could lead to stack overflow.

Configuration¶

Identifier: resource_limitation/graphql_recursive_fragment

Examples¶

Ignore this check¶

checks:
  resource_limitation/graphql_recursive_fragment:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API8:2023
OWASP LLM: LLM04:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: SC-5

Classification¶

CWE: 770

Score¶

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:R
CVSS_SCORE: 6.9

References¶

https://github.com/graph-gophers/graphql-go/security/advisories/GHSA-mh3m-8c74-74xh