GHSA-733v-p3h5-qpq7

First published: Fri Apr 25 2025(Updated: )

### Summary A query cost restriction using the `cost-limit` can be bypassed if `ignoreIntrospection` is enabled (which is the default configuration) by naming your query/fragment `__schema`. ### Details At the start of the `computeComplexity` function, we have the following check for `ignoreIntrospection` option: ```ts if (this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema') { return 0; } ``` However, the `node` can be `FieldNode | FragmentDefinitionNode | InlineFragmentNode | OperationDefinitionNode | FragmentSpreadNode` So, for example, sending the following query ```gql query hello { books { title } } ``` would create an `OperationDefinitionNode` with `node.name.value == 'hello'` The proper way to handle this would be to check for the `__schema` field, which would create a `FieldNode`. The fix is ```ts if ( this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema' && node.kind === Kind.FIELD ) { return 0; } ``` to assert that the node must be a `FieldNode` ### PoC ```gql query { ...__schema } fragment __schema on Query { books { title author } } ``` ```gql query __schema { books { title author } } ``` ### Impact Applications using GraphQL Armor Cost Limit plugin with `ignoreIntrospection` enabled. ### Fix: Fixed on [772](https://github.com/Escape-Technologies/graphql-armor/pull/772). A quick patch would be to set `ignoreIntrospection` to false.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-733v-p3h5-qpq7
• agent/software-canonical-lookup
• agent/severity
• agent/references
• agent/source
• agent/weakness
• agent/last-modified-date
• agent/type
• agent/description
• agent/first-publish-date
• agent/softwarecombine
• agent/tags
• agent/event
• package-manager/npm