This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis โ
Q1What is this vulnerability? (Essence + Consequences)
๐จ **Essence**: Dgraph < 25.3.2 has a **credential leakage** flaw. <br>๐ฅ **Consequences**: Unauthorized **privilege escalation**. Attackers gain admin access without valid credentials.โฆ
๐ก๏ธ **CWE**: CWE-200 (Information Exposure). <br>๐ **Flaw**: **Unverified credentials** are exposed. The system fails to properly validate or mask auth tokens, leaking sensitive access data.
Q3Who is affected? (Versions/Components)
๐ฆ **Vendor**: dgraph-io. <br>๐ **Affected**: **Dgraph** versions **25.3.1 and earlier**. <br>โ **Fixed**: Version **25.3.2** and later.
Q4What can hackers do? (Privileges/Data)
๐ **Privileges**: **Privileged Management Access**. <br>๐ **Data**: Full read/write access to the GraphQL database. <br>โ ๏ธ **Impact**: Complete compromise of the distributed graph database.
Q5Is exploitation threshold high? (Auth/Config)
โก **Threshold**: **LOW**. <br>๐ **Auth**: **PR:N** (No Privileges Required). <br>๐ **Access**: **AV:N** (Network). <br>๐ค **UI**: **UI:N** (No User Interaction). Easy remote exploitation.
Q6Is there a public Exp? (PoC/Wild Exploitation)
๐ **Public Exp?**: **No PoC** listed in data. <br>๐ต๏ธ **Status**: Advisory confirmed (GHSA-95mq-xwj4-r47p). <br>โ ๏ธ **Risk**: High CVSS (8.6) suggests easy exploitation despite no public code.
Q7How to self-check? (Features/Scanning)
๐ **Check**: Scan for Dgraph instances running **v25.3.1 or older**. <br>๐ ๏ธ **Tool**: Use version detection on GraphQL endpoints. <br>๐ **Monitor**: Look for unexpected admin API calls from unknown IPs.
๐ฅ **Urgency**: **HIGH**. <br>๐ **CVSS**: 8.6 (High). <br>๐ **Action**: **Patch immediately**. No auth required makes this critical for production environments.