Remote Denial of Service Vulnerability in Geth by Ethereum
CVE-2023-42319

7.5HIGH

Key Information:

Vendor: Ethereum
Status: Go Ethereum
Vendor: CVE Published:; 18 October 2023

What is CVE-2023-42319?

A vulnerability in Geth, the Go implementation of the Ethereum protocol, allows remote attackers to execute specially crafted GraphQL queries that can lead to denial of service. This can occur when the Geth daemon is configured with the --http and --graphql flags. Attackers can exploit this by sending queries that consume excessive memory, resulting in the daemon becoming unresponsive or hanging. The vendor has noted that the GraphQL endpoint is not designed to endure attacks from malicious clients or to manage high volumes of traffic.

References

https://geth.ethereum.org/docs/fundamentals/security

https://blog.mevsec.com/posts/geth-dos-with-graphql/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 18, 2023
Vulnerability Reserved
Sep 8, 2023