GraphQL Deep Recursion Query Attack
Reference
Plugin Id: 40100 | CWE: 400
Remediation
To protect against GraphQL deep recursion attacks, implement comprehensive depth and complexity controls:
-
Implement query depth limiting: Set maximum query depth limits to prevent deeply nested queries that exploit recursive relationships.
Example (GraphQL Depth Limit):
const depthLimit = require('graphql-depth-limit'); const server = new ApolloServer({ typeDefs, resolvers, validationRules: [depthLimit(10)] // Maximum depth of 10 }); -
Use query complexity analysis: Implement query complexity scoring that accounts for recursive operations.
Example (GraphQL Query Complexity with recursion penalties):
const { createComplexityLimitRule } = require('graphql-validation-complexity'); const server = new ApolloServer({ typeDefs, resolvers, validationRules: [ createComplexityLimitRule(1000, { onCost: (cost, context) => { if (cost > 500) { console.log('High complexity query detected:', cost); } } }) ] }); -
Implement execution timeouts: Configure strict timeouts for query execution to prevent long-running recursive operations.
Example (Query timeout with Apollo Server):
const server = new ApolloServer({ typeDefs, resolvers, plugins: [ { requestDidStart() { return { willSendResponse(requestContext) { const timeout = setTimeout(() => { requestContext.response.errors = [new Error('Query timeout')]; }, 10000); // 10 second timeout clearTimeout(timeout); } }; } } ] }); -
Monitor recursive field usage: Track and limit the use of fields that can cause recursive queries.
About
GraphQL deep recursion attacks specifically target recursive relationships in GraphQL schemas where types reference themselves or create circular dependencies. Unlike general deep nesting attacks, these exploits focus on schema relationships like User→friends→User or Post→comments→replies→Post that can create infinite recursion paths. Attackers craft queries that traverse these recursive relationships to extreme depths, potentially causing exponential resource consumption, stack overflow errors, or application crashes.
Risks
The risks associated with GraphQL deep recursion vulnerabilities include:
- Exponential resource consumption: Recursive queries can grow exponentially with each level of nesting, quickly overwhelming server resources.
- Stack overflow errors: Deep recursion can exhaust the call stack, causing application crashes or memory corruption.
- Database connection exhaustion: Recursive queries may generate complex database operations that exhaust connection pools.
- Cascading system failure: Resource exhaustion from recursive queries can impact other application components and services.