{"id":"CVE-2022-31173","summary":"Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow","details":"Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually.","aliases":["GHSA-4rx6-g5vg-5f3j","RUSTSEC-2022-0038"],"modified":"2026-04-10T04:47:52.489195Z","published":"2022-08-01T18:50:12Z","database_specific":{"cwe_ids":["CWE-400"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31173.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31173.json"},{"type":"ADVISORY","url":"https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31173"},{"type":"FIX","url":"https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb"},{"type":"FIX","url":"https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graphql-rust/juniper","events":[{"introduced":"0"},{"fixed":"6fd7a591cf43255712f102892a46c732ee193f9e"}]}],"versions":["0.5.0","0.5.1","0.5.2","0.5.3","0.6.0","0.6.1","0.6.2","0.6.3","0.7.0","0.8.0","0.8.1","0.9.0","0.9.1","0.9.2","juniper-0.11.0","juniper-0.11.1","juniper-0.13.1","juniper-0.15.0","juniper-0.15.1","juniper-0.15.2","juniper-0.15.3","juniper-v0.15.4","juniper-v0.15.5","juniper-v0.15.6","juniper-v0.15.7","juniper-v0.15.8","juniper-v0.15.9","juniper_actix-0.2.0","juniper_actix-0.2.1","juniper_actix-0.2.2","juniper_actix-0.2.3","juniper_actix-v0.2.4","juniper_actix-v0.2.5","juniper_actix-v0.3.1","juniper_codegen-0.11.0","juniper_codegen-0.13.2","juniper_codegen-0.15.0","juniper_codegen-0.15.1","juniper_codegen-0.15.2","juniper_codegen-0.15.3","juniper_codegen-v0.15.4","juniper_codegen-v0.15.5","juniper_codegen-v0.15.6","juniper_codegen-v0.15.7","juniper_codegen-v0.15.8","juniper_codegen-v0.15.9","juniper_graphql_ws-0.2.0","juniper_graphql_ws-0.2.1","juniper_graphql_ws-0.2.2","juniper_graphql_ws-0.2.3","juniper_graphql_ws-v0.2.4","juniper_graphql_ws-v0.2.5","juniper_graphql_ws-v0.2.6","juniper_hyper-0.2.0","juniper_hyper-0.4.1","juniper_hyper-0.6.0","juniper_hyper-0.6.2","juniper_hyper-0.6.3","juniper_hyper-v0.7.0","juniper_hyper-v0.7.1","juniper_hyper-v0.7.2","juniper_hyper-v0.7.3","juniper_iron-0.3.0","juniper_iron-0.4.0","juniper_iron-0.5.1","juniper_iron-0.7.0","juniper_iron-0.7.1","juniper_iron-0.7.2","juniper_iron-v0.7.3","juniper_iron-v0.7.4","juniper_iron-v0.7.5","juniper_iron-v0.7.6","juniper_rocket-0.2.0","juniper_rocket-0.3.0","juniper_rocket-0.4.1","juniper_rocket-0.6.0","juniper_rocket-0.6.1","juniper_rocket-0.6.2","juniper_rocket-v0.6.3","juniper_rocket-v0.7.0","juniper_rocket-v0.7.1","juniper_rocket-v0.7.2","juniper_subscriptions-0.15.0","juniper_subscriptions-0.15.1","juniper_subscriptions-0.15.2","juniper_subscriptions-0.15.3","juniper_subscriptions-v0.15.4","juniper_subscriptions-v0.15.5","juniper_subscriptions-v0.15.6","juniper_warp-0.2.0","juniper_warp-0.3.0","juniper_warp-0.4.0","juniper_warp-0.4.1","juniper_warp-0.6.0","juniper_warp-0.6.1","juniper_warp-0.6.2","juniper_warp-v0.6.3","juniper_warp-v0.6.4","juniper_warp-v0.6.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31173.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}