保護DataHogo
Security Encyclopedia/APIs (Advanced)
mediumCWE-770A04:2021

GraphQL Without Query Depth Limit

GraphQL API with no depth limit on nested queries, allowing attackers to craft deeply nested queries that exhaust server resources and cause denial of service.

How It Works

GraphQL's flexible querying lets clients request nested relationships. Without a depth limit, an attacker can write a query 100 levels deep (user -> friends -> friends -> friends...) that causes exponential database queries or memory exhaustion. This is a denial-of-service attack specific to GraphQL's recursive query nature.

Vulnerable Code
// BAD: no depth limit — this query would bring down the server
// query { user { friends { friends { friends { friends { name } } } } } }
Secure Code
// GOOD: use graphql-depth-limit plugin
import depthLimit from 'graphql-depth-limit';
const server = new ApolloServer({
  typeDefs,
  resolvers,
  validationRules: [depthLimit(5)], // max 5 levels deep
});

Real-World Example

GitHub's GraphQL API enforced depth limits after finding that complex nested queries could cause response times over 30 seconds. GitHub also introduced a complexity scoring system to prevent expensive queries, not just deep ones.

How to Prevent It

  • Install graphql-depth-limit and set a reasonable limit (5-7 levels is usually sufficient)
  • Also implement query complexity limits using graphql-query-complexity
  • Set a query timeout in your GraphQL server to kill runaway queries
  • Rate limit by query complexity score, not just request count

Affected Technologies

nodejsNext.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

API Documentation Exposed in Production

low

Swagger UI, ReDoc, or other API documentation interfaces publicly accessible in production, giving attackers a free interactive map of every endpoint, parameter, and authentication method.

CWE-200A05:2021

GraphQL Introspection Enabled in Production

medium

GraphQL introspection is left enabled in production, allowing anyone to query the complete schema and discover all types, fields, mutations, and their argument structures.

CWE-200A05:2021

GraphQL Batching Attack

medium

GraphQL endpoints accepting arrays of operations without size limits, enabling attackers to bypass rate limiting by bundling thousands of requests into a single HTTP call.

CWE-770A04:2021

Excessive Data Exposure

medium

API endpoints returning full database objects with sensitive fields instead of only the fields the client actually needs, exposing password hashes, internal IDs, admin flags, and other sensitive data.

CWE-213A03:2021