Closed nicholasaleks closed 2 years ago
Agoo currently does not support request validations meaning cycle fragment requests lead to unbounded results causing instances of Agoo to crash.
Sample exploit script:
query test { __schema { ...A } } fragment A on __Schema { types { fields { name } } ...B } fragment B on __Schema { ...A }
For more information see: https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/agoo.md
Spec ref: https://spec.graphql.org/October2021/#sec-Fragment-spreads-must-not-form-cycles
Fixed in v2.14.3.
It would have been nice to give me more than a day to fix the issue before submitting to the NVD. Just saying...
Agoo currently does not support request validations meaning cycle fragment requests lead to unbounded results causing instances of Agoo to crash.
Sample exploit script:
For more information see: https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/agoo.md
Spec ref: https://spec.graphql.org/October2021/#sec-Fragment-spreads-must-not-form-cycles