Absinthe: Unbounded atom creation from parsed directive name

Summary When Absinthe parses a GraphQL SDL document, every directive @ definition is converted into a freshly created atom without any allow-list or length cap. Because atoms are never garbage-collected and the BEAM has a hard 1,048,576 atom-table limit, any application that feeds...

CVE-2026-42793

Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules ca...

GHSA-R7CG-QJJM-XHQQ webonyx/graphql-php has unbounded recursion in parser that causes stack overflow on crafted nested input

Summary GraphQL\Language\Parser is a recursive descent parser with no recursion depth limit and no zend.maxallowedstacksize interaction. Crafted nested queries trigger a SIGSEGV in the PHP runtime, killing the FPM/CLI worker process. Smallest crashing payload is approximately 74 KB. Affected...

CVE-2026-40324

Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser Utf8GraphQLParser has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types...

CVE-2026-40324 Hot Chocolate's Utf8GraphQLParser has Stack Overflow via Deeply Nested GraphQL Documents

Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser Utf8GraphQLParser has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types...

CVE-2026-40324 Hot Chocolate's Utf8GraphQLParser has Stack Overflow via Deeply Nested GraphQL Documents

Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser Utf8GraphQLParser has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types...

CVE-2026-40324

Hot Chocolate (GraphQL server) contains a vulnerability in Utf8GraphQLParser: prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, the recursive descent parser has no recursion-depth limit, so deeply nested GraphQL documents (as small as ~40 KB) can trigger a StackOverflowException. This unca...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the Utf8GraphQLParser parser. An attacker can cause the application to terminate unexpectedly and disrupt all active services by submitting a crafted GraphQL document with deeply nested selection sets, object...

ChilliCream GraphQL Platform: Utf8GraphQLParser Stack Overflow via Deeply Nested GraphQL Documents

Impact Hot Chocolate's Utf8GraphQLParser is a recursive descent parser with no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a StackOverflowException on payloads as small as 40 KB. Because...

GHSA-QR3M-XW4C-JQW3 ChilliCream GraphQL Platform: Utf8GraphQLParser Stack Overflow via Deeply Nested GraphQL Documents

Impact Hot Chocolate's Utf8GraphQLParser is a recursive descent parser with no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a StackOverflowException on payloads as small as 40 KB. Because...

PT-2026-33381

Name of the Vulnerable Software and Affected Versions Hot Chocolate versions prior to 12.22.7 Hot Chocolate versions prior to 13.9.16 Hot Chocolate versions prior to 14.3.1 Hot Chocolate versions prior to 15.1.14 Description The recursive descent parser Utf8GraphQLParser lacks a recursion depth...

Directus 信息泄露漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.16.1 contained a vulnerability related to information leakage. This vulnerability stemmed from the serverspecs GraphQL parser not...

OSV-2025-436 Security exception in graphql.parser.GraphqlAntlrToLanguage.createNonNullType

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=422217211 Crash type: Security exception Crash state: graphql.parser.GraphqlAntlrToLanguage.createNonNullType graphql.parser.GraphqlAntlrToLanguage.createType graphql.parser.GraphqlAntlrToLanguage.createListType...

OSV-2025-215 Security exception in graphql.parser.GraphqlAntlrToLanguage.createType

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=403877661 Crash type: Security exception Crash state: graphql.parser.GraphqlAntlrToLanguage.createType graphql.parser.GraphqlAntlrToLanguage.createListType graphql.parser.GraphqlAntlrToLanguage.createNonNullType...

Denial Of Service (DoS)

github.com/42atomys/stud42 is vulnerable to Denial of Service DoS. The vulnerability exits due to the graphQL parser which has the potential to overload the API pod because it does not check for a max content length, resulting in an attacker crashing the application...

PT-2023-32969 · S42.App · S42.App

Name of the Vulnerable Software and Affected Versions: s42.app affected versions not specified Description: A security issue has been identified in the GraphQL parser used by the API of s42.app, allowing an attacker to overload the parser and cause the API pod to crash. By sending a specially...

Stud42 vulnerable to denial of service

Stud42's API is vulnerable to a denial of service because the API pod can be overloaded by the GraphQL parser...