PT-2025-36624 — Resource Exhaustion in Npm @Escape.Tech/Graphql-Armor-Max-Depth

PT-2025-36624 · Npm · @Escape.Tech/Graphql-Armor-Max-Depth

Published

2025-08-26

Updated

2025-08-26

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

A query depth restriction using the max-depth property can be bypassed if ignoreIntrospection is enabled (which is the default configuration) by naming your query/fragment schema.

Details

At the start of the countDepth function, we have the following check for the ignoreIntrospection option:

typescript

  if (this.config.ignoreIntrospection && 'name' in node && node.name?.value === ' schema') {
    return 0;
  }

However, the node can be one of: FieldNode, FragmentDefinitionNode, InlineFragmentNode, OperationDefinitionNode, FragmentSpreadNode.

For example, consider sending the following query:

graphql

query hello {
 books {
  title
 }
}

This would create an OperationDefinitionNode where node.name.value == 'hello'

The proper way to handle this is to check explicitly for the schema field, which corresponds to a FieldNode.

The fix is

typescript

  if (
   this.config.ignoreIntrospection &&
   'name' in node &&
   node.name?.value === ' schema' &&
   node.kind === Kind.FIELD
  ) {
   return 0;
  }

This ensures that the node is explicitly a FieldNode.

PoC

Max depth: 6

graphql

query {
 books {
  author {
   books {
    author {
     ... schema
    }
   }
  }
 }
}
fragment  schema on Author {
 books {
  title
 }
}

Impact

This issue affects applications using the GraphQL Armor Depth Limit plugin with ignoreIntrospection enabled.

Fix

This is fixed in PR#823

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

GHSA-HMFR-RX46-4JX2

Affected Products

@Escape.Tech/Graphql-Armor-Max-Depth