CVE-2023-50730: 
Java vulnerability analysis and mitigation

Grackle, a GraphQL server written in functional Scala built on the Typelevel stack, was found to contain a critical vulnerability (CVE-2023-50730) affecting versions prior to 0.18.0. The vulnerability stems from the server's failure to properly check GraphQL fragments for cyclic dependencies and its use of the non-stack-safe cats-parse recursive operator. This vulnerability was discovered and disclosed in December 2023 (GitHub Advisory).

The vulnerability manifests in two ways: First, the GraphQL specification requires that fragments must not form cycles, either directly or indirectly, but this requirement wasn't checked in versions before 0.18.0. Second, Grackle's use of the cats-parse 'recursive' operator in three critical areas - nested selection sets, nested input values (lists and objects), and nested list type declarations - was not stack safe. Both issues could result in a JVM StackOverflowError when processing certain queries (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to denial of service (DoS) conditions through stack overflow errors. What makes this particularly concerning is that while some knowledge of an application's GraphQL schema would be required to construct cyclic fragment queries, no specific knowledge would be needed to create queries with deeply nested structures that could trigger the stack overflow during parsing (GitHub Advisory).

The vulnerability has been fully addressed in Grackle version 0.18.0. For users unable to upgrade immediately, a workaround is available by implementing a sanitizing layer between untrusted input and Grackle query processing (GitHub Advisory).