CVE-2023-42319

moderate-risk

Published 2023-10-18

Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic.

Do I need to act?

0.67% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Go Ethereum

Affected Vendors

Ethereum

References (4)

Exploit https://blog.mevsec.com/posts/geth-dos-with-graphql/

Vendor Advisory https://geth.ethereum.org/docs/fundamentals/security

Exploit https://blog.mevsec.com/posts/geth-dos-with-graphql/

Vendor Advisory https://geth.ethereum.org/docs/fundamentals/security

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal