{"schema_version":"1.3.1","id":"GO-2022-0300","modified":"2024-05-20T16:03:47Z","published":"2022-07-15T23:10:20Z","aliases":["CVE-2022-21708","GHSA-mh3m-8c74-74xh"],"summary":"Panic via malicious inputs in github.com/graph-gophers/graphql-go","details":"Malicious inputs can cause a panic.\n\nA maliciously crafted input can cause a stack overflow and panic. Any user with access to the GraphQL can send such a query.\n\nThis issue only occurs when using the graphql.MaxDepth schema option (which is highly recommended in most cases).","affected":[{"package":{"name":"github.com/graph-gophers/graphql-go","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.3.0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/graph-gophers/graphql-go","symbols":["Schema.Exec","Schema.Subscribe","Schema.ToJSON","Schema.Validate","Schema.ValidateWithVariables","Schema.exec","Schema.subscribe"]}]}}],"references":[{"type":"FIX","url":"https://github.com/graph-gophers/graphql-go/commit/eae31ca73eb3473c544710955d1dbebc22605bfe"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0300","review_status":"REVIEWED"}}