{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/symfony/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["graphql-php","Lighthouse","Overblog/GraphQLBundle","wp-graphql","Drupal GraphQL module"],"_cs_severities":["high"],"_cs_tags":["graphql","denial-of-service","recursion","php"],"_cs_type":"advisory","_cs_vendors":["webonyx","Laravel","Symfony","WordPress","Drupal"],"content_html":"\u003cp\u003eThe \u003ccode\u003ewebonyx/graphql-php\u003c/code\u003e library is vulnerable to unbounded recursion in its parser. This vulnerability, present in the \u003ccode\u003eGraphQL\\Language\\Parser\u003c/code\u003e component, allows an attacker to cause a denial-of-service (DoS) by sending a crafted GraphQL query with excessive nesting. The parser, lacking any recursion depth limit, exhausts the C stack, leading to a SIGSEGV signal and the termination of the PHP process. The smallest crashing payload is approximately 74 KB, making exploitation feasible. This issue affects version v15.31.4 and likely earlier versions due to the unchanged recursive descent parsing design. This vulnerability poses a significant risk to applications using the affected library, including those built with Laravel (Lighthouse), Symfony (Overblog/GraphQLBundle), WordPress (wp-graphql), and Drupal (Drupal GraphQL module).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious GraphQL query containing deeply nested structures, such as lists or objects.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted GraphQL query to the web server hosting the vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe web server passes the query to the PHP application for processing.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eGraphQL\\Language\\Parser\u003c/code\u003e component within \u003ccode\u003ewebonyx/graphql-php\u003c/code\u003e begins parsing the query using recursive descent methods.\u003c/li\u003e\n\u003cli\u003eDue to the excessive nesting, the parser\u0026rsquo;s recursion depth increases without bound, consuming C stack memory.\u003c/li\u003e\n\u003cli\u003eThe C stack is exhausted, triggering a SIGSEGV signal within the PHP runtime.\u003c/li\u003e\n\u003cli\u003eThe PHP process terminates abruptly, interrupting any in-flight requests handled by that process.\u003c/li\u003e\n\u003cli\u003eThe application becomes unavailable, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition. A single, relatively small (74 KB) POST request can terminate the PHP process handling it. In environments like php-fpm, this leads to worker processes being killed and respawned, dropping in-flight requests. Long-running PHP runtimes such as Swoole or RoadRunner will experience complete daemon failure. This occurs before any validation rules are applied, bypassing complexity analyzers and other defense mechanisms. The lack of a catchable error means there are no application-level logs or error messages generated, complicating incident response.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended patch by the maintainers of \u003ccode\u003ewebonyx/graphql-php\u003c/code\u003e when available, which introduces a recursion depth counter (Option 1 in the source).\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, consider implementing a front-end proxy or web application firewall (WAF) rule to limit the size of incoming GraphQL queries to prevent payloads exceeding 74KB.\u003c/li\u003e\n\u003cli\u003eMonitor PHP-FPM logs for \u0026ldquo;child exited on signal 11 (SIGSEGV)\u0026rdquo; messages to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on GraphQL endpoints to reduce the impact of potential DoS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T12:00:00Z","date_published":"2026-05-06T12:00:00Z","id":"/briefs/2026-05-graphql-php-recursion/","summary":"The webonyx/graphql-php library has an unbounded recursion vulnerability in its parser that can lead to a stack overflow, causing a denial of service by terminating the PHP process with a SIGSEGV.","title":"webonyx/graphql-php Unbounded Recursion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-graphql-php-recursion/"}],"language":"en","title":"CraftedSignal Threat Feed — Symfony","version":"https://jsonfeed.org/version/1.1"}