GHSA-733v-p3h5-qpq7

Опубликовано: 25 апр. 2025

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

GraphQL Armor Cost-Limit Plugin Bypass via Introspection Query Obfuscation

Summary

A query cost restriction using the cost-limit can be bypassed if ignoreIntrospection is enabled (which is the default configuration) by naming your query/fragment __schema.

Details

At the start of the computeComplexity function, we have the following check for ignoreIntrospection option:

if (this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema') { return 0; }

However, the node can be FieldNode | FragmentDefinitionNode | InlineFragmentNode | OperationDefinitionNode | FragmentSpreadNode

So, for example, sending the following query

query hello { books { title } }

would create an OperationDefinitionNode with node.name.value == 'hello'

The proper way to handle this would be to check for the __schema field, which would create a FieldNode.

The fix is

if ( this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema' && node.kind === Kind.FIELD ) { return 0; }

to assert that the node must be a FieldNode

PoC

query { ...__schema } fragment __schema on Query { books { title author } }

query __schema { books { title author } }

Impact

Applications using GraphQL Armor Cost Limit plugin with ignoreIntrospection enabled.

Fix:

Fixed on 772. A quick patch would be to set ignoreIntrospection to false.

Ссылки

Пакеты

Наименование

@escape.tech/graphql-armor-cost-limit

npm

Затронутые версииВерсия исправления

< 2.4.2

2.4.2

5.3 Medium

CVSS3

Дефекты

CWE-400

CWE-770

5.3 Medium

CVSS3

Дефекты

CWE-400

CWE-770