GHSA-68jq-c3rv-pcrrMediumCVSS 7.5

graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation

Published
April 14, 2026
Last Modified
June 8, 2026

🔗 CVE IDs covered (1)

📋 Description

The OverlappingFieldsCanBeMerged validation rule exhibits quadratic time complexity when processing queries with many repeated fields sharing the same response name. An attacker can send a crafted query like { hello hello hello ... } with thousands of repeated fields, causing excessive CPU usage during validation before execution begins.

This is not mitigated by existing QueryDepth or QueryComplexity rules.

Observed impact (tested on v15.31.4):

  • 1000 fields: ~0.6s
  • 2000 fields: ~2.4s
  • 3000 fields: ~5.3s
  • 5000 fields: request timeout (>20s)

Root cause: collectConflictsWithin() performs O(n²) pairwise comparisons of all fields with the same response name. For identical repeated fields, every comparison returns "no conflict" but the quadratic iteration count causes resource exhaustion.

Fix: Deduplicate structurally identical fields before pairwise comparison, reducing the complexity from O(n²) to O(u²) where u is the number of unique field signatures (typically 1 for this attack pattern).

Credit: Ashwak N ([email protected])

🎯 Affected products1

  • composer/webonyx/graphql-php:<= 15.31.4

🔗 References (4)