GHSA-3hwm-922r-47hw: 
vulnerability analysis and mitigation

A high-severity security vulnerability (GHSA-3hwm-922r-47hw) was identified in the GraphQL parser used by the API of s42.app, affecting versions <=v0.22.2 of the atomys.codes/stud42 Go package. The vulnerability was discovered on March 24, 2023, and publicly disclosed on March 28, 2023. The issue was patched in version v0.23.0 (GitHub Advisory).

The vulnerability allows attackers to overload the GraphQL parser by sending specially crafted requests with large payloads containing excessive consecutive directives. The issue received a CVSS v3.1 score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) (GitHub Advisory).

When exploited, this vulnerability can cause the API pod to crash, and with threading, an attacker can potentially bring down the entire API service. This results in a denial of service (DoS) condition, making the API unavailable for legitimate users (GitHub Advisory).

The vulnerability was patched in version v0.23.0 by implementing a request body size limit of 50KB to prevent possible DoS attacks. The fix includes adding a middleware that checks and limits the maximum content length accepted by the application (Patch Commit).