CVE-2021-47748
BaseFortify
Publication date: 2026-01-21
Last updated on: 2026-02-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hasura | graphql_engine | 1.3.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47748 is a critical remote code execution vulnerability in Hasura GraphQL Engine version 1.3.3. It allows attackers to execute arbitrary shell commands on the server by manipulating SQL queries sent to the run_sql endpoint. Specifically, attackers exploit PostgreSQL's COPY FROM PROGRAM feature by crafting malicious GraphQL queries that inject system commands. This happens due to improper input handling, enabling remote attackers to run code without authentication. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full remote code execution on the affected system. An attacker can execute arbitrary shell commands remotely without any authentication, potentially leading to unauthorized access, data theft, system compromise, disruption of services, and complete loss of confidentiality, integrity, and availability of the system. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to send specially crafted GraphQL queries to the Hasura GraphQL engine's run_sql or v1/query endpoints that exploit the SQL injection via the COPY FROM PROGRAM feature. One practical method is to use the provided Python exploit script from Resource 2, which sends JSON payloads containing SQL commands to execute shell commands remotely. Monitoring network traffic for unusual GraphQL bulk queries or unexpected SQL commands targeting the run_sql endpoint may also help detect exploitation attempts. Specific commands include sending a bulk GraphQL query with SQL commands that create a table and execute shell commands via COPY FROM PROGRAM, as demonstrated in the Python script in Resource 2. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Hasura GraphQL Engine from version 1.3.3 to a patched version that addresses this remote code execution vulnerability. If an upgrade is not immediately possible, restrict access to the Hasura GraphQL endpoints, especially run_sql and v1/query, by implementing network-level controls such as firewalls or IP whitelisting. Additionally, monitor and block suspicious GraphQL queries that attempt to use the COPY FROM PROGRAM functionality or execute arbitrary SQL commands. Disabling or restricting the use of the run_sql endpoint can also reduce the attack surface. [1, 2]