Description

Your web application's GraphQL API has been identified to allow nested queries with circular relationships through introspection. This configuration can lead to complex queries that consume an excessive amount of resources, potentially resulting in a Denial of Service (DoS) attack that reduces the availability of your GraphQL API and affects the overall performance of your web application.

Remediation

Limit Query Depth: Implement a restriction on the maximum query depth allowed in the GraphQL API to prevent excessive nesting and circular queries.

References

Depth limiting in Graphene

Node graphql-depth-limit library

Depth limiting in Apollo

Related Vulnerabilities

JIRA Security Advisory 2013-02-21

Apache Roller OGNL injection

MediaWiki remote code execution

Weak Secret is Used to Sign JWT

GraphQL Non-JSON Queries over POST: Potential CSRF Vulnerability

Severity

Medium

Classification

CWE-400 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Tags

Configuration Denial Of Service