{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/webonyx/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":5.3,"id":"CVE-2023-26144"}],"_cs_exploited":false,"_cs_products":["graphql-php"],"_cs_severities":["medium"],"_cs_tags":["graphql","php","resource-exhaustion","vulnerability"],"_cs_type":"advisory","_cs_vendors":["webonyx"],"content_html":"\u003cp\u003eThe \u003ccode\u003eOverlappingFieldsCanBeMerged\u003c/code\u003e validation rule in \u003ccode\u003ewebonyx/graphql-php\u003c/code\u003e is vulnerable to a quadratic complexity issue due to how it handles inline fragments. Specifically, the pairwise comparison loop within the \u003ccode\u003ecollectConflictsWithin\u003c/code\u003e function can lead to an \u003ccode\u003eO(n^2 x m^2)\u003c/code\u003e worst-case scenario when processing queries with nested inline fragments. A 364 KB query with 200 outer and 100 inner inline fragments was observed to consume 117 seconds of CPU time per request on \u003ccode\u003ewebonyx/graphql-php@v15.31.4\u003c/code\u003e running on PHP 8.3.30. The existing named-fragment cache (CVE-2023-26144) does not cover inline fragments, making the system vulnerable to denial-of-service attacks through resource exhaustion. This affects applications using the standard validation pipeline, including Lighthouse, Overblog/GraphQLBundle, wp-graphql, and Drupal GraphQL.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a GraphQL query with a large number of nested inline fragments.\u003c/li\u003e\n\u003cli\u003eThe query is submitted to a \u003ccode\u003ewebonyx/graphql-php\u003c/code\u003e application.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDocumentValidator::validate()\u003c/code\u003e function invokes the default rules, including \u003ccode\u003eOverlappingFieldsCanBeMerged\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin \u003ccode\u003eOverlappingFieldsCanBeMerged.php\u003c/code\u003e, the \u003ccode\u003einternalCollectFieldsAndFragmentNames\u003c/code\u003e function flattens inline fragments into the parent \u003ccode\u003e$astAndDefs\u003c/code\u003e map, increasing the size of the map.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecollectConflictsWithin\u003c/code\u003e function iterates through the flattened fields, performing an \u003ccode\u003eO(n^2)\u003c/code\u003e pairwise comparison of fields.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efindConflict\u003c/code\u003e function is recursively called for sub-selections, compounding the cost to \u003ccode\u003eO(n^2 x m^2)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the absence of a comparison budget or validation timeout, the validation process consumes excessive CPU resources.\u003c/li\u003e\n\u003cli\u003eThe PHP worker process becomes pinned, leading to potential denial of service via worker pool exhaustion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to a denial of service (DoS) due to the exhaustion of server resources. A single 364 KB query can consume 117 seconds of CPU time, potentially exhausting the php-fpm worker pool. Systems with default configurations, such as Lighthouse/Laravel deployments, may be vulnerable even with \u003ccode\u003emax_execution_time\u003c/code\u003e limits, as the worker may burn significant CPU time before being terminated. Exploitation can bypass body-size limits and WAF rules via gzip compression, as the decompressed payload is much larger than the compressed one. The vulnerability affects all applications using the standard validation pipeline in \u003ccode\u003ewebonyx/graphql-php\u003c/code\u003e versions prior to 15.32.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ewebonyx/graphql-php\u003c/code\u003e version 15.32.2 or later, which includes a fix that addresses this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement a comparison budget in \u003ccode\u003eOverlappingFieldsCanBeMerged\u003c/code\u003e to limit the number of comparisons performed during validation, as described in the remediation options.\u003c/li\u003e\n\u003cli\u003eConsider capping inline-fragment flattening in \u003ccode\u003einternalCollectFieldsAndFragmentNames\u003c/code\u003e to prevent excessive growth of the \u003ccode\u003e$astAndDefs\u003c/code\u003e map, as outlined in the remediation options.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect GraphQL PHP Excessive Validation Time\u003c/code\u003e to identify potential exploitation attempts by monitoring the execution time of GraphQL validation processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T14:00:00Z","date_published":"2026-05-05T14:00:00Z","id":"/briefs/2026-05-graphql-php-resource-exhaustion/","summary":"The `OverlappingFieldsCanBeMerged` validation rule in `webonyx/graphql-php` has an `O(n^2 x m^2)` worst-case complexity due to flattened inline fragments, leading to potential resource exhaustion.","title":"graphql-php OverlappingFieldsCanBeMerged Quadratic Complexity Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-graphql-php-resource-exhaustion/"}],"language":"en","title":"CraftedSignal Threat Feed — Webonyx","version":"https://jsonfeed.org/version/1.1"}