PT-2025-19360 — @Escape.Tech/Graphql-Armor-Cost-Limit

PT-2025-19360 · Npm · @Escape.Tech/Graphql-Armor-Cost-Limit

Published

2025-04-25

Updated

2025-04-25

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

A query cost restriction using the cost-limit can be bypassed if ignoreIntrospection is enabled (which is the default configuration) by naming your query/fragment schema.

Details

At the start of the computeComplexity function, we have the following check for ignoreIntrospection option:

  if (this.config.ignoreIntrospection && 'name' in node && node.name?.value === ' schema') {
   return 0;
  }

However, the node can be FieldNode | FragmentDefinitionNode | InlineFragmentNode | OperationDefinitionNode | FragmentSpreadNode

So, for example, sending the following query

query hello {
 books {
  title
 }
}

would create an OperationDefinitionNode with node.name.value == 'hello'

The proper way to handle this would be to check for the schema field, which would create a FieldNode.

The fix is

  if (
   this.config.ignoreIntrospection &&
   'name' in node &&
   node.name?.value === ' schema' &&
   node.kind === Kind.FIELD
  ) {
   return 0;
  }

to assert that the node must be a FieldNode

PoC

query {
 ... schema
}

fragment  schema on Query {
 books {
  title
  author
 }
}

query  schema {
 books {
  title
  author
 }
}

Impact

Applications using GraphQL Armor Cost Limit plugin with ignoreIntrospection enabled.

Fix:

Fixed on 772. A quick patch would be to set ignoreIntrospection to false.

Fix

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

GHSA-733V-P3H5-QPQ7

Affected Products

@Escape.Tech/Graphql-Armor-Cost-Limit