Description

Your web application is running with GraphQL Alias Overloading enabled, allowing 100+ aliases in a single request. GraphQL aliases allow clients to perform the same query multiple times in a single request by assigning a different name to each of them. This feature can be useful for legitimate use cases but may also be exploited by attackers to perform Denial of Service (DoS) attacks on GraphQL APIs.

Remediation

Limit Alias Overloading: Implement restrictions on the number of allowed aliases in a single request to reduce the potential impact of a DoS attack.

Rate Limiting: Apply rate limiting to client requests, limiting the number of requests per client in a given time frame, reducing the likelihood and impact of DoS attacks.

References

GraphQL Aliases

Related Vulnerabilities

Laravel Horizon open

Unrestricted access to Kong Gateway API

Microsoft Frontpage configuration information

Multiple vulnerabilities in Ioncube loader-wizard.php

Apache Axis2 administration console weak password

Severity

Medium

Classification

CWE-400 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Tags

Configuration Denial Of Service