CVE-2022-37315 : graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type

graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser.

Published 2022-08-01 22:15:11

Updated 2022-08-05 12:56:36

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2022-37315

Graphql-go Project » Graphql-go
Versions up to, including, (<=) 0.8.0
cpe:2.3:a:graphql-go_project:graphql-go:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 17 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE-674 Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Assigned by: nvd@nist.gov (Primary)

https://github.com/graphql-go/graphql/issues/637

Infinite recursion on malformed input (parseTypeSystemDefinition) · Issue #637 · graphql-go/graphql · GitHub
Exploit;Issue Tracking;Third Party Advisory

Jump to