GHSA-fc86-6rv6-2jpm: webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments
OverlappingFieldsCanBeMerged validation rule has O(n^2 x m^2) worst case via flattened inline fragments. The CVE-2023-26144 named-fragment cache does not cover inline fragments. A 364 KB query (200 outer x 100 inner inline fragments) consumes 117 seconds of CPU per request, with no comparison budget and no validation timeout.
References
- github.com/advisories/GHSA-9pv7-vfvm-6vr7
- github.com/advisories/GHSA-fc86-6rv6-2jpm
- github.com/advisories/GHSA-p4qx-6w5p-4rj2
- github.com/graphql/graphql-js/issues/2185
- github.com/sangria-graphql-org/sangria/pull/12
- github.com/webonyx/graphql-php
- github.com/webonyx/graphql-php/commit/996adcfce33442f6fc01214777bc8620cc142d85
- github.com/webonyx/graphql-php/releases/tag/v15.32.2
- github.com/webonyx/graphql-php/security/advisories/GHSA-fc86-6rv6-2jpm
- spec.graphql.org/October2021/
Code Behaviors & Features
Detect and mitigate GHSA-fc86-6rv6-2jpm with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →