CVE-2021-47713

HIGH

Hasura Graphql Engine - Resource Allocation Without Limits

Title source: rule

Description

Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resources and potentially crash the GraphQL endpoint.

Exploits (1)

exploitdb WORKING POC

by Dolev Farhi · pythondosmultiple

https://www.exploit-db.com/exploits/49789

View Code ZIP pw:eip

References (3)

[Product] https://github.com/hasura/graphql-engine

[Exploit] https://www.exploit-db.com/exploits/49789

[Third Party Advisory, Exploit] https://www.vulncheck.com/advisories/hasura-graphql-denial-of-service-via-malicious-graphql-query

Scores

CVSS v3 7.5

EPSS 0.0016

EPSS Percentile 37.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-770

Status published

Products (1)

hasura/graphql_engine 1.3.3

Published Dec 22, 2025

Tracked Since Feb 18, 2026