logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-733v-p3h5-qpq7 @escape.tech/graphql-armor-cost-limit

Package

Manager: npm
Name: @escape.tech/graphql-armor-cost-limit
Vulnerable Version: >=0 <2.4.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

GraphQL Armor Cost-Limit Plugin Bypass via Introspection Query Obfuscation ### Summary A query cost restriction using the `cost-limit` can be bypassed if `ignoreIntrospection` is enabled (which is the default configuration) by naming your query/fragment `__schema`. ### Details At the start of the `computeComplexity` function, we have the following check for `ignoreIntrospection` option: ```ts if (this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema') { return 0; } ``` However, the `node` can be `FieldNode | FragmentDefinitionNode | InlineFragmentNode | OperationDefinitionNode | FragmentSpreadNode` So, for example, sending the following query ```gql query hello { books { title } } ``` would create an `OperationDefinitionNode` with `node.name.value == 'hello'` The proper way to handle this would be to check for the `__schema` field, which would create a `FieldNode`. The fix is ```ts if ( this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema' && node.kind === Kind.FIELD ) { return 0; } ``` to assert that the node must be a `FieldNode` ### PoC ```gql query { ...__schema } fragment __schema on Query { books { title author } } ``` ```gql query __schema { books { title author } } ``` ### Impact Applications using GraphQL Armor Cost Limit plugin with `ignoreIntrospection` enabled. ### Fix: Fixed on [772](https://github.com/Escape-Technologies/graphql-armor/pull/772). A quick patch would be to set `ignoreIntrospection` to false.

Metadata

Created: 2025-04-25T15:14:36Z
Modified: 2025-04-29T16:45:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-733v-p3h5-qpq7/GHSA-733v-p3h5-qpq7.json
CWE IDs: ["CWE-400", "CWE-770"]
Alternative ID: N/A
Finding: F002
Auto approve: 1