CVE-2022-21708: 
Red Hat Enterprise Linux CoreOS (RHCOS) vulnerability analysis and mitigation

CVE-2022-21708 affects graphql-go, a GraphQL server library focused on ease of use. The vulnerability was discovered and disclosed on January 21, 2022, affecting versions prior to 1.3.0. The issue exists in the library's MaxDepth validation functionality, which could allow attackers to cause stack overflow panics through specifically designed queries (NVD).

The vulnerability stems from a bug in the MaxDepth schema option that fails to properly handle recursive fragment spreads in GraphQL queries. When processing queries with circular fragment references, the validation logic could enter an infinite recursion, leading to stack overflow panics. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability allows any user with access to the GraphQL handler to send specially crafted queries that can cause stack overflow panics. This can potentially compromise the server's ability to serve data to its users, resulting in a denial of service condition (NVD).

The vulnerability has been patched in version 1.3.0 of the library. Users are advised to upgrade to this version or later. As a temporary workaround, though not recommended, users can disable the graphql.MaxDepth option from their schema. However, this workaround may expose the application to other depth-related attacks (GitHub Advisory).