Listen to this Post
The vulnerability exists in Hot Chocolate’s Utf8GraphQLParser, which implements a recursive descent parser without any recursion depth limit. An attacker sends a crafted GraphQL document containing deeply nested selection sets, object values, list values, or list types. The payload can be as small as 40 KB. As the parser recursively processes the nested structures, each nested level adds a new stack frame. Because there is no limit, the recursion continues until the .NET runtime exhausts the thread’s stack space, triggering a StackOverflowException. Since .NET 2.0, StackOverflowException is uncatchable – the exception cannot be caught by try-catch blocks. Consequently, the entire worker process terminates immediately. Any in-flight HTTP requests, background IHostedService tasks, and open WebSocket subscriptions on that worker are dropped without cleanup. The orchestrator (Kubernetes, IIS, etc.) must restart the process, leading to denial of service. This crash occurs before any validation rules run: MaxExecutionDepth, complexity analyzers, persisted query allow-lists, and custom IDocumentValidatorRule implementations are bypassed because Utf8GraphQLParser.Parse is invoked prior to validation. The existing MaxAllowedFields=2048 limit does not prevent the crash because the crashing payloads contain very few fields – only deep nesting. The vulnerability is critical (CVSS 9.1) with high availability impact.
dailycve form:
Platform: Hot Chocolate GraphQL
Version: All versions prior
Vulnerability: Unbounded recursion overflow
Severity: Critical (9.1)
Date: 2024-10-01
Prediction: Upgrade to 12.22.7
What Undercode Say:
Test for vulnerability using a deeply nested GraphQL query (40KB gzip-compressible)
curl -X POST -H "Content-Type: application/json" -d '{"query":"{ a: { b: { c: { d: { e: { f: { g: { h: { i: { j: { k: { l: { m: { n: { o: { p: { q: { r: { s: { t: { u: { v: { w: { x: { y: { z: { __typename } } } } } } } } } } } } } } } } } } } } } }"}' http://target/graphql
.NET code to set safe recursion depth after patching
var options = new ParserOptions { MaxAllowedRecursionDepth = 128 };
var parser = new Utf8GraphQLParser(options);
How Exploit:
Craft a GraphQL document with 500+ nested selection sets (e.g., { a { b { c { ... } } } }) or deeply nested list values/object values. Send as HTTP POST to `/graphql` endpoint. Payload size ~40 KB uncompressed, ~200 bytes gzipped. No authentication needed. Process crashes instantly.
Protection from this CVE
Upgrade to Hot Chocolate v12.22.7, v13.9.16, v14.3.1, or v15.1.14. After upgrade, set `MaxAllowedRecursionDepth` in `ParserOptions` (default safe value applied). No workaround exists – limiting HTTP body size at reverse proxy reduces but does not eliminate risk (crash payload is tiny).
Impact
Immediate termination of .NET worker process. All active HTTP requests, background services, and WebSocket connections dropped. Repeated crashes cause persistent denial of service. Orchestrator restarts process but attacker can re-trigger instantly. No data confidentiality loss, but high integrity (disrupted operations) and high availability loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

