Ashwak N

**Name of the Vulnerable Software and Affected Versions** graphql-go versions prior to 15.31.5 **Description** The `OverlappingFieldsCanBeMerged` validation rule exhibits quadratic time complexity when processing queries containing numerous repeated fields that share the same response name. Specifically, the `collectConflictsWithin()` function performs O(n²) pairwise comparisons of these fields. An attacker can exploit this by sending a crafted query with thousands of identical fields, leading to excessive CPU usage and resource exhaustion during the validation phase, before execution begins. This issue is not mitigated by existing QueryDepth or QueryComplexity rules. **Recommendations** Update to version 15.31.5.