DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-R7CG-QJJM-XHQQ: GHSA-R7CG-QJJM-XHQQ: Unbounded Recursion Denial of Service in webonyx/graphql-php

#security #cve #cybersecurity #ghsa

GHSA-R7CG-QJJM-XHQQ: Unbounded Recursion Denial of Service in webonyx/graphql-php

Vulnerability ID: GHSA-R7CG-QJJM-XHQQ
CVSS Score: 7.5
Published: 2026-05-05

An uncontrolled recursion vulnerability (CWE-674) in the webonyx/graphql-php library allows unauthenticated remote attackers to trigger a Denial of Service (DoS). The vulnerability resides in the recursive descent parser, which fails to limit the depth of nested structures, leading to a stack overflow and subsequent PHP process crash.

TL;DR

A flaw in webonyx/graphql-php's parser allows attackers to crash the PHP process via highly nested GraphQL queries, bypassing application-level validation. The issue is fixed in version 15.32.3 by implementing a default recursion limit of 256.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: CWE-674: Uncontrolled Recursion
  • Attack Vector: Network (Unauthenticated)
  • Impact: High (Denial of Service via Process Crash)
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed
  • Affected Component: Language\Parser class

Affected Systems

  • webonyx/graphql-php
  • PHP-FPM Worker Processes
  • PHP CLI instances utilizing vulnerable library versions
  • graphql-php: < 15.32.3 (Fixed in: 15.32.3)

Code Analysis

Commit: 7b7f208

Add recursion limits to Parser to prevent stack overflow DoS

Added `recursionDepth` and `recursionLimit` tracking with `increaseRecursionDepth()` throwing `SyntaxError` on limit breach.
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Advisory PoC: Deeply nested lists triggering unbounded recursion via input array structures.
  • Advisory PoC: Deeply nested field selections triggering unbounded recursion via parsed schemas.

Mitigation Strategies

  • Library Upgrade
  • Configuration Audit
  • Web Application Firewall (WAF) Filtering

Remediation Steps:

  1. Execute composer update webonyx/graphql-php to upgrade the package to version 15.32.3 or later.
  2. Review custom instances of the Language\Parser class to ensure recursionLimit is not configured to 0.
  3. Deploy WAF rules to block HTTP requests containing an abnormal sequence of structural characters (e.g., >100 consecutive { or [ characters).

References

Read the full report for GHSA-R7CG-QJJM-XHQQ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)