GHSA-FC86-6RV6-2JPM: GHSA-FC86-6RV6-2JPM: Denial of Service via Algorithmic Complexity in webonyx…

1 / 2

GHSA-FC86-6RV6-2JPM: GHSA-FC86-6RV6-2JPM: Denial of Service via Algorithmic Complexity in webonyx/graphql-php

DEV Community·CVE Reports·28 days ago

#F97rzmVj

#releasev15322 #exploit #security #cve #graphql #webonyx

Reading 0:00

15s threshold

GHSA-FC86-6RV6-2JPM: Denial of Service via Algorithmic Complexity in webonyx/graphql-php Vulnerability ID: GHSA-FC86-6RV6-2JPM CVSS Score: 7.5 Published: 2026-05-04 The webonyx/graphql-php library before version 15.32.2 contains a Denial of Service vulnerability due to uncontrolled resource consumption. The flaw resides in the OverlappingFieldsCanBeMerged validation rule, where improper handling of inline fragments causes quadratic or worse computational complexity during the query validation phase. TL;DR A Denial of Service vulnerability in webonyx/graphql-php allows unauthenticated attackers to exhaust CPU resources using specially crafted GraphQL queries containing nested inline fragments. The OverlappingFieldsCanBeMerged validation rule lacks appropriate limits, causing O(N^2) complexity. Version 15.32.2 patches this by implementing a hard limit on field comparisons.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-FC86-6RV6-2JPM: GHSA-FC86-6RV6-2JPM: Denial of Service via Algorithmic Complexity in webonyx/graphql-php