Hasura GraphQL 1.3.3 Denial of Service via Malicious GraphQL Query

Advisories

severity: high
date: December 22, 2025
Affecting: Hasura GraphQL 1.3.3
CVE: CVE-2021-47713
CWE: CWE-770 Allocation of Resources Without Limits or Throttling
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-49789
Hasura GraphQL Engine GitHub Repository
Credit: Dolev Farhi
Description: Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resources and potentially crash the GraphQL endpoint.