CVE-2023-34047 - Understanding and Exploiting the Batch Loader Context Leak in Spring for GraphQL

Spring for GraphQL is a framework that helps Java developers build GraphQL APIs easily. If you're using GraphQL with Spring Boot, there's a good chance you're depending on this library. Recently, a serious security vulnerability was discovered — CVE-2023-34047. If you're running affected versions, your user session data might be leaking between requests.

In this post, I’ll break down what the vulnerability is, show you example exploit code, and explain what you should do to stay safe. No complicated jargon — just the details you need.

What’s CVE-2023-34047 About?

In Spring for GraphQL versions 1.1. - 1.1.5 and 1.2. - 1.2.2, there’s an issue where Batch Loader Functions registered with custom DataLoaderOptions can accidentally expose session-specific context data across different user sessions. That includes user authentication or other sensitive stuff tied to the GraphQL context.

In plain English:
A bit of session info meant for user A could accidentally be visible to user B, just by making GraphQL requests at the same time.

Where’s the problem?

If your code registers batch loader functions using DefaultBatchLoaderRegistry and you supply a custom DataLoaderOptions instance, the DataLoader can re-use a single context, mixing up unrelated user sessions.

See the official advisory from Spring for their explanation.

Here’s a simplified version showing a vulnerable registration

// Vulnerable: Custom DataLoaderOptions (bad usage!)
DataLoaderOptions options = DataLoaderOptions.newOptions().setBatchingEnabled(true);

// Registering a batch loader with possibly sensitive context
batchLoaderRegistry.forBatchLoader(
    "userBatchLoader",
    keys -> userService.findUsersByIds(keys),
    options   // Custom options reused
);

What goes wrong?
If a GraphQL request gets a SecurityContext (the object holding user auth info) injected into the context, a later request on the same thread (even from a different session) can see it.

The Exploit: Stealing Someone’s Security Context

In real world terms, if attacker A makes a request that causes their SecurityContext to get stored in the DataLoader, and before that DataLoader is cleared (or in a multi-threaded scenario), user B requests data with the same DataLoader — they can access the SecurityContext of attacker A.

Here's skeleton code showing how an attacker could try to "catch" leaked context info in a GraphQL resolver:

@Component
public class UserDataFetcher implements DataFetcher<List<User>> {
    @Override
    public List<User> get(DataFetchingEnvironment env) {
        // Grab the context — watch out!
        Object context = env.getContext();
        if (context instanceof MySecurityContext) {
            MySecurityContext sec = (MySecurityContext) context;
            // Log or send context values elsewhere
            System.out.println("Exposed Security Context: " + sec.getUsername());
        }
        // Continue as normal
        List<String> userIds = env.getArgument("ids");
        return userService.findUsersByIds(userIds);
    }
}

In real life, attackers would use this information to elevate privilege, impersonate sessions, or harvest sensitive identity data.

You use Spring for GraphQL between 1.1. - 1.1.5 or 1.2. - 1.2.2

- You register batch loader functions using DefaultBatchLoaderRegistry AND supply a custom DataLoaderOptions instance.

References and Patch

- Official Spring Security Advisory
- Spring for GraphQL - DataLoader Registry
- CVE-2023-34047 - NVD Details

Temporary Mitigation

If you can’t update, avoid passing a custom DataLoaderOptions when registering your batch loaders. Use the default options instead.

Search your code for .forBatchLoader calls. Look for any use of DataLoaderOptions.

// SAFE: Don’t pass custom DataLoaderOptions
batchLoaderRegistry.forBatchLoader(
    "userBatchLoader",
    keys -> userService.findUsersByIds(keys)
);

What Did Spring Change?

The fix ensures the DataLoader context is not shared accidentally and is truly isolated per request/session when custom options are set. Read the commit diff for nerdy details.

Summary

CVE-2023-34047 in Spring for GraphQL is a session context leak bug. If your app uses custom DataLoaderOptions with batch loader functions, you could accidentally mix up users' security info. Upgrade now to avoid leaking user contexts!

Stay safe and keep your dependencies updated.

If you have further questions, check the Spring guidance or drop your questions below.


Exclusive takeaway:
*Even top Java frameworks can slip. Always review how context is managed in async frameworks and test your session isolation, especially when using shared objects like DataLoaders.*


*If you found this useful, share it with your team and make application security everyone's business!*

Timeline

Published on: 09/20/2023 10:15:00 UTC
Last modified on: 10/18/2023 18:04:00 UTC