CVE-2023-40180 – Denial of service vulnerability in silverstripe-graphql via recursive queries

https://notcve.org/view.php?id=CVE-2023-40180

16 Oct 2023 — silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed graphql schemas. If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or C... • https://docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries • CWE-400: Uncontrolled Resource Consumption •