GHSA-xq3c-8gqm-v648: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-xq3c-8gqm-v648) affects the async-graphql package in Rust, discovered and disclosed on July 21, 2022. This security issue impacts versions prior to 4.0.6 of the async-graphql library, where deeply nested GraphQL queries could trigger stack overflow conditions. The vulnerability was assigned a high severity rating with a CVSS score of 7.5 (GitHub Advisory, RustSec Advisory).

The vulnerability is characterized by its network attack vector, low attack complexity, and requires no privileges or user interaction to exploit. It received a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The technical issue stems from the handling of deeply nested fragments in GraphQL requests, which could trigger stack overflow conditions in the server implementation (GitHub Advisory).

The primary impact of this vulnerability is on system availability. When exploited, it can cause a denial of service through stack overflow conditions triggered by processing deeply nested queries. The vulnerability affects the server's availability while having no direct impact on confidentiality or integrity (RustSec Advisory).

The vulnerability has been patched in version 4.0.6 of async-graphql. The fix implements a maximum recursive depth limit of 256 by default, which prevents stack overflow conditions while maintaining normal functionality. Users are advised to upgrade to version 4.0.6 or later to address this security issue (GitHub Commit).