A critical remote code execution vulnerability has been identified in Hasura GraphQL version 1.3.3. This flaw allows an unauthenticated attacker to take complete control of the server by sending a specially crafted GraphQL query, which can lead to total system compromise, data theft, and service disruption. Organizations using the affected software are exposed to significant risk and should take immediate action to mitigate this threat.

The vulnerability exists within the run_sql API endpoint, which fails to properly sanitize user-supplied input within GraphQL queries. An attacker can inject malicious SQL statements that leverage PostgreSQL's COPY FROM PROGRAM functionality. By crafting a query that includes this command, the attacker can force the database server to execute arbitrary shell commands with the privileges of the PostgreSQL service account, resulting in remote code execution (RCE) on the underlying server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows an attacker to gain full administrative control over the database server and potentially the entire host operating system. The consequences include, but are not limited to, the theft of sensitive data, modification or deletion of critical business information, complete service outages, and the ability for an attacker to use the compromised server as a pivot point to launch further attacks against the internal network. The potential for reputational damage and financial loss is extremely high.

Immediate Action:

• Immediately apply security updates by upgrading Hasura GraphQL to the latest version as recommended by the vendor.
• Review server and application access logs for any signs of compromise or exploitation attempts targeting the run_sql endpoint.

Proactive Monitoring:

• Log Analysis: Configure security information and event management (SIEM) systems to alert on GraphQL queries targeting the run_sql endpoint that contain suspicious keywords such as COPY, PROGRAM, or common shell command syntax.
• Network Monitoring: Monitor for unusual outbound connections from the database server, which could indicate a reverse shell or data exfiltration channel established by an attacker.
• Endpoint Detection: Monitor for unexpected processes being spawned by the PostgreSQL user account on the database server.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Web Application Firewall (WAF): Deploy a WAF with rules specifically designed to inspect GraphQL traffic and block queries containing malicious SQL injection patterns, particularly those attempting to use COPY FROM PROGRAM.
• Database Permissions: Enforce the principle of least privilege by ensuring the database user account used by Hasura does not have permissions to execute dangerous functions like COPY FROM PROGRAM.
• Network Segmentation: Restrict all outbound network access from the database server except for what is explicitly required for business operations.

Public Exploit Available: Information not available in the provided CVE data.

Given the critical CVSS score of 9.8 and the risk of complete system compromise, this vulnerability requires immediate attention. We strongly recommend that all affected instances of Hasura GraphQL be patched to the latest version without delay. While this vulnerability is not yet on the CISA KEV list, its severity and potential for straightforward exploitation mean it should be treated with the highest priority. In parallel with patching, organizations must implement the proactive monitoring and compensating controls outlined above to detect potential exploitation and limit the blast radius of an attack.