CVE-2023-40180 – Denial of service vulnerability in silverstripe-graphql via recursive queries

https://notcve.org/view.php?id=CVE-2023-40180

silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed graphql schemas. If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this may further mitigate the risk. • https://docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries https://github.com/silverstripe/silverstripe-graphql/commit/f6d5976ec4608e51184b0db1ee5b9e9a99d2501c https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-v23w-pppm-jh66 https://github.com/silverstripe/silverstripe-graphql/tree/3.8#recursive-or-complex-queries https://www.silverstripe.org/download/security-releases/CVE-2023-40180 • CWE-400: Uncontrolled Resource Consumption •