Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler. This vulnerability is fixed in 25.3.3.
Dgraph Alpha exposes the /debug/vars endpoint without any authentication, which is handled by the standard http.DefaultServeMux mechanism of the Go library (expvar). Since the administrative token is typically passed at application startup as a command-line argument (--security "token=..."), its value is visible in the data exposed by this endpoint. An attacker can read the token from the HTTP response and then use it in the X-Dgraph-AuthToken header to gain access to endpoints reserved exclusively for administrators. The previous patch only blocked the /debug/pprof/cmdline path, leaving /debug/vars unprotected.
An unauthenticated remote attacker can gain full administrative privileges to a Dgraph instance, leading to violation of confidentiality, integrity, and availability of data stored in the database.
Dgraph should be updated to version 25.3.3, in which the vulnerability has been fixed. The patch is available in the GitHub repository at: https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3. As a temporary measure, until updating, consider blocking network access to the /debug/vars endpoint at the firewall or proxy level.
Dgraph (open source distributed GraphQL database) in all versions before 25.3.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDgraph
APPDgraph< 25.3.3
Related vulnerabilities
Dgraph — wstrzyknięcie zapytania DQL umożliwia nieautoryzowany odczyt danych
DQL injection w Dgraph — nieuwierzytelniony pełny odczyt bazy danych
Dgraph: ujawnienie tokenu admina przez niezabezpieczony endpoint /debug/pprof/cmdline
Dgraph: nieuwierzytelniony dostęp do mutacji restoreTenant (SSRF, RCE danych)
Dgraph is an open source distributed GraphQL database. Existing Dgraph audit logs are vulnerable to brute forc...