HotChocolate library vulnerability

I noticed that XByK had a hotfix released today to upgrade the HotChocolate library that addresses a recent security vulnerability. Given the out-of-band nature of the release, I assume it was deemed critical to XByK itself.

Looking at the information, it appears this is related to GraphQL queries. If we're not running a headless channel, are we susceptible to the vulnerability? Most of our sites are standard web channels, and I'm trying to get a handle on whether we need to do an out-of-band release of our own.

Environment

  • Xperience by Kentico version: 31.4.0

  • .NET version: 10

  • Execution environment: SaaS

Answers

Accepted answer

From the CVE:

When an attacker sends a carefully constructed GraphQL document featuring deeply nested selection sets, object values, list values, or list types, the parser can consume an unlimited stack and trigger a StackOverflowException.

The GraphQL parsing technology in the Hot Chocolate library is used in headless channels and there are no other built-in GraphQL endpoints in an Xperience by Kentico application.

Headless activity tracking uses traditional HTTP (REST) endpoints, not GraphQL.

So, unless you have headless channels or you are using the Hot Chocolate dependency directly to host your own GraphQL endpoints, you are not impacted.

To response this discussion, you have to login first.