Security Patch - November 2024

October 29, 2025

A new vulnerability was uncovered in the GraphQL Java library, tracked under the following reference: CVE-2024-40094

The vulnerability is located in the GraphQL API, embedded in all versions of Jahia, and can lead to denial of service via executing specially-crafted introspection queries.

At the time of writing this security patch page, no exploits were published for Jahia.

Affected versions

  • All versions of Jahia below 8.1.8.1 (including Jahia 7.x)
  • Jahia 8.2.0.4

Note that jCustomer is not affected by the vulnerability as it is not using GraphQL

Patched versions

The vulnerability has been addressed in the following versions of Jahia:

  • Jahia 8.2.0.5 (upgraded the library, patching the vulnerability)
  • Jahia 8.1.8.1 (implemented a mitigation, detailed below)

We strongly encourage our customers to upgrade to one of these versions as the primary mean of addressing the vulnerability.

In situations where upgrading to Jahia 8.1.8.1 or 8.2.0.5 is not possible, a mitigation procedure is available to disable introspection on older versions of Jahia.

Mitigating the vulnerability for Jahia 8.1.7 and below

In Jahia 8.1x, upgrading to the version of the GraphQL Java library addressing the vulnerability is not possible. Instead, a mitigation mechanism was implemented in various modules (detailed below) to make it possible to disable GraphQL introspection while keeping the GraphQL API fully operational. 

In Jahia 8.1.8.1 this mitigation mechanism is enabled by default, and no other operation is necessary. Although we strongly encourage our customers to upgrade to a recent version of Jahia (8.1.8.1 or 8.2.0.5), it remains possible to manually install the set of modules needed for applying the mitigation on older versions of Jahia.

Impact of the mitigation

The mitigation disables GraphQL introspection, this means that any features relying on introspection itself will need to be updated. This impacts queries using "__" nodes, such as "__schema" or "__Type".

The most obvious change for developers or users of Jahia Administration UI, will be that GraphQL Playground / GraphiQL will not be available from the developers tools nor from the support tools when introspection is disabled. 

Disabling introspection does not prevent GraphQL queries, mutations or subscriptions from being executed.

Preparing for the mitigation

Before beginning to apply the mitigation, and due to the number of modules requiring an upgrade, you are strongly encouraged to update all Jahia modules present in your environment to their latest version published on the Jahia store.

Module Jahia 8.1.3 Jahia 8.1.5 Jahia 8.1.6 Jahia 8.1.7
ckeditor 4.21.0-jahia8-6 4.21.0-jahia8-6 4.21.0-jahia8-6 4.21.0-jahia8-6
content-security-policy 2.4.0 No update needed No update needed No update needed
default-skins 8.1.0 8.2.0 8.2.0 8.2.0
jahia-category-manager 1.3.0 1.3.0 No update needed No update needed
jahia-csrf-guard 3.4.0 3.4.0 No update needed No update needed
jahia-dashboard-docs 1.2.0 No update needed No update needed No update needed
jahia-repository-explorer 1.5.0 1.5.0 No update needed No update needed
jahia-user-entries 1.6.0 1.6.0 1.6.0 1.6.0
personal-api-tokens 1.5.0 1.5.0 1.5.0 1.5.0
security-filter-tools 2.5.0 2.5.0 2.5.0 2.5.0
tools 4.2.0 4.5.0 4.5.0 4.5.0

Although updating these modules is not strictly required, our testing for the mitigation was performed using the modules versions detailed above.

Applying the mitigation

The mitigation for Jahia 8.1x consists in introducing a property to disable GraphQL introspection.

Since introspection was previously used by some Jahia modules, it is also necessary to update these modules to a recent release supporting that mitigation.

The following modules must be upgraded:

  • jahia-administration to version 1.11.0
  • jahia-dashboard to version 1.10.0
  • jahia-page-composer to version 1.12.0
  • jahia-ui-root to version 1.10.0
  • jcontent to version 2.18.0
  • content-editor to version 3.8.0 or 4.11.0
    • If you are currently running content-editor 3.x, you should upgrade to 3.8.0
    • If you are currently running content-editor 4.x, you should upgrade to 4.11.0
  • app-shell to version 2.10.0 or 3.2.0
    • If you are currently running app-shell 2.x, you should upgrade to 2.10.0
    • If you are currently running app-shell 3.x, you should upgrade to 3.2.0
  • site-settings-seo to version 4.4.0
    • Only required for Jahia 8.1.6 and below. The site-settings-seo 4.4.0 module is already present in Jahia 8.1.7+
  • forms-core to version 3.15.0
    • Only required if you are currently having forms-core deployed on your platform
  • graphql-dxm-provider to version 2.21.0

Applying the mitigation manually

The mitigation can applied via the module-manager UI by updating modules, one by one, to the desired version.

If applying you are apply the mitigation manually, make sure to update "graphql-dxm-provider" last since it is the module effectively disabling introspection.

Applying the mitigation via a provisioning script

For environment having access to the internet (able to connect to Jahia store), the mitigation can also be applied via the provisioning script available below.

Before submitting it, make sure to update:

  • The URL to your environment (--url)
  • The credentials (--user)
  • The Origin header using the URL of your environment (--header)
  • The versions of content-editor and app-shell
  • Add site-settings-seo if v4.4.0 is not currently deployed

curl --request POST \
  --url http://localhost:8080/modules/api/provisioning \
  --user root:root1234 \
  --header 'Content-Type: application/yaml' \
  --header 'Origin: http://localhost:8080' \
  --data '- installBundle:
  - '\''mvn:org.jahia.modules/jahia-administration/1.10.0'\''
  - '\''mvn:org.jahia.modules/jahia-dashboard/1.10.0'\''
  - '\''mvn:org.jahia.modules/jahia-page-composer/1.12.0'\''
  - '\''mvn:org.jahia.modules/jahia-ui-root/1.10.0'\''
  - '\''mvn:org.jahia.modules/jcontent/2.18.0'\''
  - '\''mvn:org.jahia.modules/content-editor/4.11.0'\''
  - '\''mvn:org.jahia.modules/app-shell/2.10.0'\''
  - '\''mvn:org.jahia.modules/graphql-dxm-provider/2.21.0'\''
  autoStart: true
  forceUpdate: true
  uninstallPreviousVersion: true 
'

Enabling or Disabling introspection

In Jahia 8.1.x, the security fix is a mitigation.

Note that the capability to enable or disable introspection is not present in Jahia 8.2 as the graphql-java library included in Jahia 8.2.0.5+ includes a fix for the vulnerability (thus making the mitigation unnecessary).

Introspection is a feature of GraphQL developed to make it easier for developers to develop towards a GraphQL API, as part of the mitigation, the following was implemented:

  • If running in production mode, GraphQL introspection is disabled by default
  • If running in development mode, GraphQL introspection is enabled by default

Introspection can be enabled or disabled by editing the "org.jahia.modules.graphql.provider-default.cfg configuration file and modifying the graphql.introspection.enabled property.

# Enable introspection queries in the graphql schema when set to true only in the default configuration file.
# Introspection queries are enabled by default for development mode, and disabled by default in production mode.
# Needs to restart graphql-dxm-provider module to take effect
graphql.introspection.enabled = false
After modifying the configuration, it is necessary to refresh wiring for the graphql-dxm-provider module. You can do so via the module-manager UI. Introspection is handled at the very beginning of the module startup, before the config watcher is instantiated, thus requiring a restart of the module to make sure that property is taken in consideration.

Verifying the security patch was applied

You can verify the fix using the following curl query:


curl --request POST \
  --url http://localhost:8080/modules/graphql \
  --user root:root1234 \
  --header 'Content-Type: application/json' \
  --header 'Origin: http://localhost:8080' \
  --data '{"query":"query test {\n  __schema {\n    types {\n      ...F1\n    }\n  }\n}\n\nfragment F1 on __Type {\n  fields {\n    type {\n      ...F2\n    }\n  }\n  ofType {\n    ...F2\n  }\n}\n\nfragment F2 on __Type {\n  fields {\n    type {\n      name\n    }\n  }\n  ofType {\n    name\n  }\n}","operationName":"test"}'
'

The response will be different depending on the Jahia version you are targeting.

Note that the query above is useful to validate the state of the fix and does not represent the exploit of the the vulnerability.

Jahia 8.2.0.5+

{
  "errors": [
    {
      "message": "This request is not asking for introspection in good faith - __Type.fields is present too often!",
      "extensions": {
        "classification": "BadFaithIntrospection"
      }
    }
  ],
  "data": null
}

Jahia 8.1.x - With introspection disabled (default in production mode)

{
  "errors": [
    {
      "message": "Validation error of type FieldUndefined: Field 'types' in type '__Schema' is undefined @ '__schema/types'",
      "locations": [
        {
          "line": 3,
          "column": 5
        }
      ],
      "extensions": {
      "classification": "ValidationError"
    }
  }
...CONTENT REDACTED FOR READABILITY...
  ],
  "data": null
}

Jahia 8.1.x - With introspection enabled (default in development mode)

The output presented below is a partial response.

{
  "data": {
    "__schema": {
      "types": [
        {
          "fields": [
            {
              "type": {
                "fields": null,
                "ofType": {
                  "name": "AclRole"
                }
            }
          },
...CONTENT REDACTED FOR READABILITY...
        ],
        "ofType": null
      }
     ]
    }
  }
}
Please do not hesitate to reach out to Jahia Support if you have any questions or concerns.