graphql-go Denial-of-Service Vulnerability Due to Quadratic Complexity in Validation
Vulnerability
A denial-of-service vulnerability has been identified in graphql-go, a Go implementation of GraphQL, affecting versions through 15.31.4. The issue arises in the OverlappingFieldsCanBeMerged validation rule, which performs quadratic time complexity pairwise comparisons of fields with the same response name. An attacker can exploit this by sending a query with thousands of repeated identical fields, leading to excessive CPU usage during the validation process, before the query is executed. This vulnerability is not addressed by the existing QueryDepth or QueryComplexity rules.
Impact
Exploitation of this vulnerability causes significant CPU resource exhaustion, leading to request timeouts.
Reproduction
The vulnerability can be reproduced by sending a GraphQL query that includes a large number of repeated fields with the same response name. For example, a query could be crafted to include thousands of identical fields, such as 'hello', which would trigger the quadratic complexity issue in the validation process.
Remediation
Users can upgrade to graphql-go version 15.31.5, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.