Geth (aka go-ethereum) through 1.13.4, when `--http --graphql` is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query.

NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic.

Affected Packages

Go github.com/ethereum/go-ethereum

Affected versions: 0 (last affected: 1.13.4)

Related CVEs

CVE-2023-42319

Key Information

GHSA ID

GHSA-v9jh-j8px-98vq

Published

October 18, 2023 6:30 AM

Last Modified

September 13, 2024 6:36 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/ethereum/go-ethereum

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 13, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.