blob: 1198463d3fed004f56e8bf123c6e26570c480988 [file] [log] [blame]
id: GO-2022-0300
modules:
- module: github.com/graph-gophers/graphql-go
versions:
- fixed: 1.3.0
vulnerable_at: 1.2.0
packages:
- package: github.com/graph-gophers/graphql-go
symbols:
- Schema.ValidateWithVariables
- Schema.exec
- Schema.subscribe
derived_symbols:
- Schema.Exec
- Schema.Subscribe
- Schema.ToJSON
- Schema.Validate
summary: Panic via malicious inputs in github.com/graph-gophers/graphql-go
description: |-
Malicious inputs can cause a panic.
A maliciously crafted input can cause a stack overflow and panic. Any user with
access to the GraphQL can send such a query.
This issue only occurs when using the graphql.MaxDepth schema option (which is
highly recommended in most cases).
published: 2022-07-15T23:10:20Z
cves:
- CVE-2022-21708
ghsas:
- GHSA-mh3m-8c74-74xh
references:
- fix: https://github.com/graph-gophers/graphql-go/commit/eae31ca73eb3473c544710955d1dbebc22605bfe
review_status: REVIEWED