GHSA-FC86-6RV6-2JPM webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments
Summary OverlappingFieldsCanBeMerged validation rule has On^2 x m^2 worst case via flattened inline fragments. The CVE-2023-26144 named-fragment cache does not cover inline fragments. A 364 KB query 200 outer x 100 inner inline fragments consumes 117 seconds of CPU per request, with no comparison...