Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
GraphQL PHP: Malicious Query Can Cause Excessive CPU Usage
GHSA-68jq-c3rv-pcrr
Summary
A specific type of malicious GraphQL query can cause a GraphQL PHP application to become unresponsive due to excessive CPU usage. This occurs when a query contains many repeated fields with the same name, which can be exploited by an attacker. To protect against this, consider applying the fix provided by the developer or taking steps to prevent such queries, such as limiting the number of nested fields in a query.
What to do
- Update webonyx webonyx/graphql-php to version 15.31.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| webonyx | webonyx/graphql-php | <= 15.31.5 | 15.31.5 |
Original title
graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation
Original description
The `OverlappingFieldsCanBeMerged` validation rule exhibits quadratic time complexity when processing queries with many repeated fields sharing the same response name. An attacker can send a crafted query like `{ hello hello hello ... }` with thousands of repeated fields, causing excessive CPU usage during validation before execution begins.
This is not mitigated by existing QueryDepth or QueryComplexity rules.
**Observed impact (tested on v15.31.4):**
- 1000 fields: ~0.6s
- 2000 fields: ~2.4s
- 3000 fields: ~5.3s
- 5000 fields: request timeout (>20s)
**Root cause:** `collectConflictsWithin()` performs O(n²) pairwise comparisons of all fields with the same response name. For identical repeated fields, every comparison returns "no conflict" but the quadratic iteration count causes resource exhaustion.
**Fix:** Deduplicate structurally identical fields before pairwise comparison, reducing the complexity from O(n²) to O(u²) where u is the number of unique field signatures (typically 1 for this attack pattern).
**Credit:** Ashwak N ([email protected])
This is not mitigated by existing QueryDepth or QueryComplexity rules.
**Observed impact (tested on v15.31.4):**
- 1000 fields: ~0.6s
- 2000 fields: ~2.4s
- 3000 fields: ~5.3s
- 5000 fields: request timeout (>20s)
**Root cause:** `collectConflictsWithin()` performs O(n²) pairwise comparisons of all fields with the same response name. For identical repeated fields, every comparison returns "no conflict" but the quadratic iteration count causes resource exhaustion.
**Fix:** Deduplicate structurally identical fields before pairwise comparison, reducing the complexity from O(n²) to O(u²) where u is the number of unique field signatures (typically 1 for this attack pattern).
**Credit:** Ashwak N ([email protected])
osv CVSS4.0
7.8
Vulnerability type
CWE-407
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026