September 18, 2024 4m read

Cato CTRL Threat Research: CVE-2023-49559 – gqlparser Directive Overload DoS Vulnerability 

Vadim Freger
Yuval Moravchick
Vadim Freger , Yuval Moravchick
Cato CTRL Threat Research

Table of Contents

Wondering where to begin your SASE journey?

We've got you covered!
Listen to post:
Getting your Trinity Audio player ready...

Executive Summary 

The Cato CTRL and Cato Application Security Research teams recently discovered CVE-2023-49559, a directive overload Denial of Service (DoS) vulnerability in the gqlparser library, which is a crucial component in the development and running of GraphQL applications. The vulnerability is of medium severity (CVSS score of 5.3). 

The gqlparser library is an integrated component of the gqlgen Golang GraphQL server, widely used in web applications to handle GraphQL queries. GraphQL is a query language for APIs and a runtime for executing those queries. It uses a type system defined for your data. It also offers a more efficient, powerful, and flexible alternative to traditional REST APIs. 

The gqlparser library is responsible for parsing GraphQL queries. It is used extensively in web applications across the internet, and any vulnerabilities in this library can significantly impact the applications that rely on it. 

Cato customers are protected from this attack. IPS signatures in the Cato SASE Cloud Platform block the attack, protecting all Cato-connected edges – sites, remote users, and cloud resources.  

Technical Overview  

The vulnerability lies in the way gqlparser implements its handling of directives.  Specifically, it lacks a mechanism to limit the number of directives that can be specified in a GraphQL query. 

This oversight allows an attacker to craft a query with an excessive number of non-existing directives, causing the system to exhaust its resources and lead to a Denial of Service (DoS) of the server. 

What are GraphQL directives? 

In simple terms, GraphQL directives are a way to dynamically change the execution or behavior of queries, mutations, and schema definitions. They act as modifiers that can alter how fields or fragments are executed by the server. Directives are typically prefixed with an “@” symbol and can be applied to various parts of a GraphQL document. 

Directives are versatile tools that can be used for conditional inclusion or exclusion of fields with built-in directives like “@include” and “@skip”, allowing you to tailor the data returned based on specific conditions. They also enable the creation of custom directives, which can add metadata, handle deprecations, or enforce validation rules—enhancing the flexibility and maintainability of your API.  

Q2 2024 Cato CTRL SASE Threat Report | Get the Report!

Exploring the vulnerability 

The vulnerability lies in the “parseDirectives” function of gqlparser in the “query.go” file, responsible for parsing all incoming queries.  

Consider a simple, valid GraphQL query: 

query GetUser($includeEmail: Boolean!) { 

  user(id: "1") { 

    id 

    name 

    email @include(if: $includeEmail) 

  } 

} 

An attacker can modify this query by adding numerous non-existing directives without limit, as shown below: 

query GetUser($includeEmail: Boolean!) { 

  user(id: "1") { 

    id 

    name 

    email @include(if: $includeEmail) @fakeDirective @fakeDirective @fakeDirective @fakeDirective 

  } 

} 

The more directives in the query, the more resources are exhausted on the server when handling the query, which leads to longer and longer response times due to huge response sizes, until eventually a DoS will occur and the server can no longer function. 

In the below images, we demonstrate a simple attack by sending the fake “@aa” directive to a test server. In Figure 1, we can see a normal response time, and as we continue to send requests with an increasing number of directives in Figure 2, we can see how the response time grows exponentially with large response sizes. 

xample of simple GraphQL

Figure 1: Example of simple GraphQL request with fake directives to a test GraphQL server using Burp Suite 

GraphQL request with multiple directives

Figure 2: GraphQL request with multiple directives, leading to very high memory usage, huge response size  and a longer response time 

Conclusion  

The vulnerability was reported by Cato to the maintainers of gqlparser including a suggested fix. This fix was implemented as a temporary patch in version 2.5.13 of gqlparser, limiting the number of tokens in a request to 15,000. 

In version 2.5.15, a permanent fix was implemented, allowing developers to also control the max number of tokens. The parent project of gqlgen incorporated the fixed library in version 0.17.49. 

Overall, Cato’s discovery of CVE-2023-49559 highlights the importance of vigilant security practices in the development and maintenance of critical software libraries like gqlparser. This Directive Overload DoS vulnerability serves as a reminder that even the most trusted components can have flaws that, if left unaddressed, could severely impact the performance and availability of web applications. 

Protections 

Cato customers are protected against this attack on all resources connected to the Cato SASE Cloud Platform. 

Additionally, the Cato CTRL and Cato Application Security Research teams recommend the following actions:  

  1. Ensure your gqlparser library is updated to version 2.5.15 or above. 
  1. If you are using the gqlgen GraphQL server, update it to version v0.17.49 or above to incorporate the permanent fix. 
  1. Implement monitoring and rate-limiting mechanisms to detect and mitigate high-resource usage patterns due to abnormal query inputs.
  1. Define a maximum HTTP request size on your API servers as a precaution.

Related Topics

Wondering where to begin your SASE journey?

We've got you covered!
Vadim Freger

Vadim Freger

Vadim Freger, Director of Service Evangelism, Strategist, Cato Networks. Member of Cato Ctrl. Vadim serves as Cato's Director of Service Evangelism, where he is dedicated to advocating Cato's reputation as a leading SASE and cyber security company. With over seven years of experience at Cato, Vadim previously held the role of Director of DevOps and SRE, playing a pivotal role in shaping and advancing Cato's expansive global cloud services and operations. Before joining Cato, Vadim held various management positions at Imperva, having over 15 years of combined experience in the fields of networking and cyber security.

Read More
Yuval Moravchick

Yuval Moravchick

Yuval Moravchick is the Application Security Team Leader at Cato Networks. With over 10 years of technical experience in the cybersecurity industry, Yuval has built and led security teams at various organizations. He specializes in penetration testing, security research, and the development of offensive security tools. Before joining Cato Networks, Yuval held roles at Wix.com and ControlUp, where he led an application security research team, detected 0-day bugs, and managed the SSDLC activities. Prior to joining Wix.com and ControlUp, Yuval honed his expertise at BugSec in red team simulations, penetration testing, and malware development. Yuval holds a B.Sc. in Industrial & Management Engineering and has several industry certifications, including Offensive Security Certified Professional (OSCP).

Read More