{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/chillicream/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Hot Chocolate"],"_cs_severities":["critical"],"_cs_tags":["graphql","stack-overflow","denial-of-service","hotchocolate"],"_cs_type":"advisory","_cs_vendors":["ChilliCream"],"content_html":"\u003cp\u003eThe ChilliCream GraphQL Platform, specifically the Hot Chocolate library, is susceptible to a critical vulnerability stemming from the \u003ccode\u003eUtf8GraphQLParser\u003c/code\u003e. This parser, lacking recursion depth limits, can be exploited by a malicious actor sending crafted GraphQL documents containing deeply nested selection sets, object values, list values, or list types. Successful exploitation leads to a \u003ccode\u003eStackOverflowException\u003c/code\u003e, an uncatchable error in .NET, which immediately terminates the worker process. This occurs before established validation rules like \u003ccode\u003eMaxExecutionDepth\u003c/code\u003e or complexity analyzers can engage, rendering them ineffective. Payloads as small as 40KB can trigger this vulnerability. Patches have been released to address this issue in versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14. This vulnerability poses a significant threat to the availability of affected GraphQL services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious GraphQL document with deeply nested elements (selection sets, object values, list values, or list types) to exploit the lack of recursion depth limits in the \u003ccode\u003eUtf8GraphQLParser\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted GraphQL document as an HTTP request to the GraphQL endpoint of a vulnerable ChilliCream Hot Chocolate application.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUtf8GraphQLParser.Parse\u003c/code\u003e method is invoked to parse the incoming GraphQL document.\u003c/li\u003e\n\u003cli\u003eDue to the deeply nested structure of the malicious document, the recursive descent parser enters an uncontrolled recursion, rapidly consuming stack space.\u003c/li\u003e\n\u003cli\u003eThe recursion continues until a \u003ccode\u003eStackOverflowException\u003c/code\u003e is triggered, exceeding the stack limit.\u003c/li\u003e\n\u003cli\u003eBecause \u003ccode\u003eStackOverflowException\u003c/code\u003e is uncatchable in .NET, the entire worker process is immediately terminated.\u003c/li\u003e\n\u003cli\u003eAll in-flight HTTP requests, background \u003ccode\u003eIHostedService\u003c/code\u003e tasks, and open WebSocket subscriptions on that worker are dropped, leading to denial of service.\u003c/li\u003e\n\u003cli\u003eThe orchestrator (Kubernetes, IIS, etc.) detects the terminated process and restarts it, but the vulnerability can be re-exploited, leading to a persistent denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of this vulnerability is denial of service. Exploitation leads to the immediate termination of the worker process handling GraphQL requests. All active requests, background tasks, and WebSocket subscriptions are dropped. Since the exception is uncatchable, a restart is required, which an attacker can trigger repeatedly. A relatively small, crafted payload of around 40KB can be used to trigger the vulnerability. The sectors most affected are those relying on ChilliCream GraphQL Platform for critical services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade the \u003ccode\u003eHotChocolate.Language\u003c/code\u003e NuGet package to the patched versions: 12.22.7, 13.9.16, 14.3.1, or 15.1.14, as indicated in the advisory to remediate CVE-2026-40324.\u003c/li\u003e\n\u003cli\u003eImplement request body size limits at the reverse proxy or load balancer layer as a defense-in-depth measure. Be aware that the smallest crashing payload is 40KB, and it is highly compressible.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for frequent unexpected process terminations, which could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:29:00Z","date_published":"2024-01-03T18:29:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-chillichream-graphql-stack-overflow/","summary":"ChilliCream GraphQL Platform is vulnerable to a stack overflow exception due to unbounded recursion depth in the Utf8GraphQLParser; a crafted GraphQL document with deeply nested elements can trigger a StackOverflowException, terminating the worker process.","title":"ChilliCream GraphQL Platform Stack Overflow via Deeply Nested GraphQL Documents","url":"https://feed.craftedsignal.io/briefs/2024-01-03-chillichream-graphql-stack-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - ChilliCream","version":"https://jsonfeed.org/version/1.1"}