Merge pull request #1162 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_graphql_20250721_082948

carlospolop · web-flow · commit b1525fa61548 · 2025-07-23T14:02:24.000+02:00
Research Update Enhanced src/network-services-pentesting/pen...
diff --git a/src/network-services-pentesting/pentesting-web/graphql.md b/src/network-services-pentesting/pentesting-web/graphql.md
@@ -600,6 +600,78 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso
 'https://example.com/graphql'
 ```
 
+## Recent Vulnerabilities (2023-2025)
+
+> The GraphQL ecosystem evolves very quickly; during the last two years several critical issues were disclosed in the most-used server libraries. When you find a GraphQL endpoint it is therefore worth fingerprinting the engine (see **graphw00f**) and checking the running version against the vulnerabilities below.
+
+### CVE-2024-47614 – `async-graphql` directive-overload DoS (Rust)
+* Affected: async-graphql < **7.0.10** (Rust)
+* Root cause: no limit on **duplicated directives** (e.g. thousands of `@include`) which are expanded into an exponential number of execution nodes.
+* Impact: a single HTTP request can exhaust CPU/RAM and crash the service.
+* Fix/mitigation: upgrade ≥ 7.0.10 or call `SchemaBuilder.limit_directives()`; alternatively filter requests with a WAF rule such as `"@include.*@include.*@include"`.
+
+```graphql
+# PoC – repeat @include X times
+query overload {
+  __typename @include(if:true) @include(if:true) @include(if:true)
+}
+```
+
+### CVE-2024-40094 – `graphql-java` ENF depth/complexity bypass
+* Affected: graphql-java < 19.11, 20.0-20.8, 21.0-21.4
+* Root cause: **ExecutableNormalizedFields** were not considered by `MaxQueryDepth` / `MaxQueryComplexity` instrumentation. Recursive fragments therefore bypassed all limits.
+* Impact: unauthenticated DoS against Java stacks that embed graphql-java (Spring Boot, Netflix DGS, Atlassian products…).
+
+```graphql
+fragment A on Query { ...B }
+fragment B on Query { ...A }
+query { ...A }
+```
+
+### CVE-2023-23684 – WPGraphQL SSRF to RCE chain
+* Affected: WPGraphQL ≤ 1.14.5 (WordPress plugin).
+* Root cause: the `createMediaItem` mutation accepted attacker-controlled **`filePath` URLs**, allowing internal network access and file writes.
+* Impact: authenticated Editors/Authors could reach metadata endpoints or write PHP files for remote code execution.
+
+---
+
+## Incremental delivery abuse: `@defer` / `@stream`
+Since 2023 most major servers (Apollo 4, GraphQL-Java 20+, HotChocolate 13) implemented the **incremental delivery** directives defined by the GraphQL-over-HTTP WG. Every deferred patch is sent as a **separate chunk**, so the total response size becomes *N + 1* (envelope + patches). A query that contains thousands of tiny deferred fields therefore produces a large response while costing the attacker only one request – a classical **amplification DoS** and a way to bypass body-size WAF rules that only inspect the first chunk. WG members themselves flagged the risk. 
+
+Example payload generating 2 000 patches:
+
+```graphql
+query abuse {
+% for i in range(0,2000):
+  f{{i}}: __typename @defer
+% endfor
+}
+```
+
+Mitigation: disable `@defer/@stream` in production or enforce `max_patches`, cumulative `max_bytes` and execution time. Libraries like **graphql-armor** (see below) already enforce sensible defaults.
+
+---
+
+## Defensive middleware (2024+)
+
+| Project | Notes |
+|---|---|
+| **graphql-armor** | Node/TypeScript validation middleware published by Escape Tech. Implements plug-and-play limits for query depth, alias/field/directive counts, tokens and cost; compatible with Apollo Server, GraphQL Yoga/Envelop, Helix, etc. |
+
+Quick start:
+
+```ts
+import { protect } from '@escape.tech/graphql-armor';
+import { applyMiddleware } from 'graphql-middleware';
+
+const protectedSchema = applyMiddleware(schema, ...protect());
+```
+
+`graphql-armor` will now block overly deep, complex or directive-heavy queries, protecting against the CVEs above.
+
+---
+
+
 ## Tools
 
 ### Vulnerability scanners
@@ -641,5 +713,7 @@ https://graphql-dashboard.herokuapp.com/
 - [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md)
 - [**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696)
 - [**https://portswigger.net/web-security/graphql**](https://portswigger.net/web-security/graphql)
+- [**https://github.com/advisories/GHSA-5gc2-7c65-8fq8**](https://github.com/advisories/GHSA-5gc2-7c65-8fq8)
+- [**https://github.com/escape-tech/graphql-armor**](https://github.com/escape-tech/graphql-armor)
 
 {{#include ../../banners/hacktricks-training.md}}
