Back to list

Graphql Introspection

Description

GraphQL Introspection vulnerability arises when the introspection feature of GraphQL is enabled in a production environment. This allows potential attackers to query the schema and gain insights into the structure and implementation details of the GraphQL API, potentially exposing sensitive information and increasing the attack surface. To mitigate this vulnerability, disable introspection in production environments or implement strict access controls and rate limiting on introspection queries to prevent unauthorized access to sensitive schema information.

Remediation

Disable GraphQL introspection for public-facing or production APIs, ensuring it is only enabled for development or debugging purposes. If introspection must remain available, implement robust access controls—such as authentication and authorization—to restrict who can make introspection requests. Consider rate limiting and logging introspection queries to detect suspicious activity or excessive schema exploration attempts. Regularly audit your GraphQL schema for sensitive fields or resolvers that could inadvertently disclose critical information. Keep dependencies and frameworks updated to incorporate the latest security patches and introspection-related best practices.

References

https://graphql.org/learn/introspection/https://owasp.org/Top10/A05_2021-Security_Misconfiguration

Severity

LOW

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification

CWE-200
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

3.1

CVSS:4.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

3.1