✓ Security Misconfiguration #2465
Description
Describe the bug
The web application's GraphQL API has been identified to allow nested queries with circular relationships through introspection. This configuration can lead to complex queries that consume an excessive amount of resources, potentially resulting in a Denial of Service (DoS) attack that reduces the availability of your GraphQL API and affects the overall performance of your web application.
Steps to Reproduce
- Send the following request with too many queries inside the request and observe that it loads all the queries. Request:
POST /api/graphql HTTP/1.1
Host: int.visualize.admin.ch
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Accept-Encoding: gzip,deflate,br
Accept: /
Connection: Keep-alive
Content-Type: application/json
Cookie: b_test_id=03594220250225_a4534fc90224d4c325a87b8969c78945; recognitionDone=1
Content-Length: 819
Impact
Allowing circular queries in the GraphQL schema can enable attackers to craft queries that exponentially increase in complexity with minimal effort. This vulnerability can lead to a Denial of Service (DoS) attack, significantly impacting the availability and performance of the GraphQL API. Depending on the underlying architecture, the attack may cascade, consuming all available resources on the web server.
Remediation
Limit Query Depth: Implement a restriction on the maximum query depth allowed in the GraphQL API to prevent excessive nesting and circular queries.
Environment
The bug has only been reported and documented for the integration (INT) environment. However, please make sure to also have deeper look at all other environments you may operate.
(e.g. acceptance-, prod-, test-environment, etc.). The described bug may also be present there.
Additional context
Source: Bug Bounty Email from Reto on 07.10.2025
Also see: IRKSOME-aqua.txt