CVE-2026-40324

Name of the Vulnerable Software and Affected Versions Hot Chocolate versions prior to 12.22.7 Hot Chocolate versions prior to 13.9.16 Hot Chocolate versions prior to 14.3.1 Hot Chocolate versions prior to 15.1.14

Description The recursive descent parser Utf8GraphQLParser lacks a recursion depth limit. A crafted GraphQL document containing deeply nested selection sets, object values, list values, or list types can trigger a StackOverflowException with payloads as small as 40 KB. Since this exception is uncatchable in .NET, the entire worker process is terminated immediately, dropping all in-flight HTTP requests, background IHostedService tasks, and open WebSocket subscriptions. This crash occurs during the Utf8GraphQLParser.Parse function call, which happens before validation rules such as MaxExecutionDepth, complexity analyzers, or custom IDocumentValidatorRule implementations are executed. The MaxAllowedFields limit is ineffective as the crashing payloads require very few fields.

Recommendations Update to version 12.22.7 or later. Update to version 13.9.16 or later. Update to version 14.3.1 or later. Update to version 15.1.14 or later. Limit HTTP request body size at the reverse proxy or load balancer layer to reduce risk.