DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-FC86-6RV6-2JPM: GHSA-FC86-6RV6-2JPM: Denial of Service via Algorithmic Complexity in webonyx/graphql-php

#security #cve #cybersecurity #ghsa

GHSA-FC86-6RV6-2JPM: Denial of Service via Algorithmic Complexity in webonyx/graphql-php

Vulnerability ID: GHSA-FC86-6RV6-2JPM
CVSS Score: 7.5
Published: 2026-05-04

The webonyx/graphql-php library before version 15.32.2 contains a Denial of Service vulnerability due to uncontrolled resource consumption. The flaw resides in the OverlappingFieldsCanBeMerged validation rule, where improper handling of inline fragments causes quadratic or worse computational complexity during the query validation phase.

TL;DR

A Denial of Service vulnerability in webonyx/graphql-php allows unauthenticated attackers to exhaust CPU resources using specially crafted GraphQL queries containing nested inline fragments. The OverlappingFieldsCanBeMerged validation rule lacks appropriate limits, causing O(N^2) complexity. Version 15.32.2 patches this by implementing a hard limit on field comparisons.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400
  • Attack Vector: Network
  • CVSS v3.1 Score: 7.5
  • Impact: High (Denial of Service)
  • Exploit Status: Proof of Concept available
  • CISA KEV: Not Listed

Affected Systems

  • webonyx/graphql-php before version 15.32.2
  • graphql-php: < 15.32.2 (Fixed in: 15.32.2)

Code Analysis

Commit: 996adcf

Fix DoS vulnerability in OverlappingFieldsCanBeMerged by introducing comparison limits

Exploit Details

  • GitHub Advisory: Proof of concept demonstrating O(N^2) complexity via nested inline fragments.

Mitigation Strategies

  • Upgrade webonyx/graphql-php to version 15.32.2 or higher.
  • Implement custom comparison limits by instantiating OverlappingFieldsCanBeMerged with a specific integer threshold.
  • Enforce maximum query depth and node count limits at the GraphQL endpoint level.
  • Utilize WAF rules to detect and block queries with a high density of inline fragment definitions.

Remediation Steps:

  1. Identify the current version of webonyx/graphql-php running in the application by checking composer.json or composer.lock.
  2. Execute 'composer require webonyx/graphql-php:^15.32.2' to update the library to the secure version.
  3. Run the application's automated test suite to ensure the new comparison limits do not break existing valid, highly complex queries.
  4. If valid queries fail validation, manually configure the OverlappingFieldsCanBeMerged rule with a higher custom limit that still protects against DoS.
  5. Deploy the updated application to production environments.

References

Read the full report for GHSA-FC86-6RV6-2JPM on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)