AIKIDO-2026-10553
webonyx/graphql-php is vulnerable to Denial of service (DoS)
75
High Risk
This Affects:
webonyx/graphql-phpTL;DR
The OverlappingFieldsCanBeMerged validation rule compares candidate fields for merge conflicts. When a query uses many nested inline fragments that project the same response name, the work in the conflict routine can grow far faster than linearly because inline fragments are not covered by the same memoization that applies to named fragments, so the validator can spend a long time in pure CPU on a small document. A shared comparison counter now increments across the recursive checks and returns a validation error when a configurable limit is exceeded, with a large default, so a single request cannot drive unbounded comparison work in that rule. Typical depth and per-query complexity limits do not catch this pattern because the cost sits in this merge pass before execution.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
webonyx/graphql-php is vulnerable to Denial of service (DoS) in versions 0.0.1 - 15.32.1.
How to fix this
Upgrade the webonyx/graphql-php library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant