{"uuid": "725ceee1-9491-4827-b288-3fa40b53fa38", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-R7CG-QJJM-XHQQ", "type": "seen", "source": "https://gist.github.com/alon710/ba9b0db74ec141f4dfe472b1318d5102", "content": "# GHSA-R7CG-QJJM-XHQQ: GHSA-R7CG-QJJM-XHQQ: Unbounded Recursion Denial of Service in webonyx/graphql-php\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/GHSA-R7CG-QJJM-XHQQ\n\n## Summary\nAn uncontrolled recursion vulnerability (CWE-674) in the webonyx/graphql-php library allows unauthenticated remote attackers to trigger a Denial of Service (DoS). The vulnerability resides in the recursive descent parser, which fails to limit the depth of nested structures, leading to a stack overflow and subsequent PHP process crash.\n\n## TL;DR\nA flaw in webonyx/graphql-php's parser allows attackers to crash the PHP process via highly nested GraphQL queries, bypassing application-level validation. The issue is fixed in version 15.32.3 by implementing a default recursion limit of 256.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **Vulnerability Class**: CWE-674: Uncontrolled Recursion\n- **Attack Vector**: Network (Unauthenticated)\n- **Impact**: High (Denial of Service via Process Crash)\n- **Exploit Status**: Proof of Concept Available\n- **KEV Status**: Not Listed\n- **Affected Component**: Language\\Parser class\n\n## Affected Systems\n\n- webonyx/graphql-php\n- PHP-FPM Worker Processes\n- PHP CLI instances utilizing vulnerable library versions\n- **graphql-php**: < 15.32.3 (Fixed in: `15.32.3`)\n\n## Mitigation\n\n- Library Upgrade\n- Configuration Audit\n- Web Application Firewall (WAF) Filtering\n\n**Remediation Steps:**\n1. Execute `composer update webonyx/graphql-php` to upgrade the package to version 15.32.3 or later.\n2. Review custom instances of the `Language\\Parser` class to ensure `recursionLimit` is not configured to 0.\n3. Deploy WAF rules to block HTTP requests containing an abnormal sequence of structural characters (e.g., >100 consecutive `{` or `[` characters).\n\n## References\n\n- [GitHub Advisory: Unbounded recursion in parser causes stack overflow in webonyx/graphql-php](https://github.com/advisories/GHSA-R7CG-QJJM-XHQQ)\n- [Fix Commit: 7b7f2080ca5f7d5340a696fc5701b19a9222d2c2](https://github.com/webonyx/graphql-php/commit/7b7f2080ca5f7d5340a696fc5701b19a9222d2c2)\n- [Packagist: webonyx/graphql-php](https://packagist.org/packages/webonyx/graphql-php)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-R7CG-QJJM-XHQQ) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-05T17:40:29.000000Z"}