Vulnerabilities > CVE-2022-30288 - Unspecified vulnerability in Ohler Agoo
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server's responsibility to "enforce all the various ways a developer could write code with logic errors.
Vulnerable Configurations
References
- https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/agoo.md
- https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/agoo.md
- https://github.com/ohler55/agoo/issues/109
- https://github.com/ohler55/agoo/issues/109
- https://spec.graphql.org/October2021/#sec-Fragment-spreads-must-not-form-cycles
- https://spec.graphql.org/October2021/#sec-Fragment-spreads-must-not-form-cycles