Hot Chocolate GraphQL Parser Recursion Depth Limit Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Hot Chocolate, an open-source GraphQL server, in versions prior to 12.22.7, 13.9.16, 14.3.1, and 15.1.14. The issue arises from the recursive descent parser, Utf8GraphQLParser, which lacks a recursion depth limit. This vulnerability can be exploited by sending a crafted GraphQL document with deeply nested selection sets, object values, list values, or list types. Such a document can cause a StackOverflowException, terminating the worker process handling the request. This process termination disrupts all in-flight HTTP requests, background tasks, and open WebSocket subscriptions, requiring a restart of the worker process. Notably, this crash occurs before any validation rules can be applied, such as MaxExecutionDepth or custom document validation rules, leaving the application vulnerable to such attacks.

Impact

Exploitation of this vulnerability causes a StackOverflowException, which is uncatchable in .NET. This exception leads to an immediate termination of the worker process, causing a denial-of-service condition. All in-flight HTTP requests, background IHostedService tasks, and open WebSocket subscriptions on that worker are dropped. The orchestrator must restart the process, causing further disruption.

Reproduction

To reproduce this vulnerability, send a GraphQL request containing a deeply nested selection set, object values, list values, or list types. The request can be as small as 40 KB, but must be crafted to include the nested elements that trigger the stack overflow. This can be done using a GraphQL client or tool that allows for the manipulation of the request payload.

Remediation

Users can upgrade to Hot Chocolate versions 12.22.7, 13.9.16, 14.3.1, or 15.1.14, where this vulnerability has been patched. The patch introduces a MaxAllowedRecursionDepth option that is enforced across all recursive parser methods. Instructions for downloading the updated version can be found on the Hot Chocolate GitHub Releases page.