Findings

Alias Overloading

Updated: June 19, 2025

findings action based findings api finding

Description

Severity: High

The GraphQL endpoint allows excessive alias overloading, permitting more than 100 aliases in a single query.

This behavior can lead to performance degradation, increased resource consumption, and potential denial-of-service (DoS) attacks. Without proper limits, malicious users can exploit this feature to overload the backend system, affecting its availability and performance.

Example Attack

An attacker submits a query with over 100 aliases, each alias causing the server to process the same data multiple times. This can lead to a significant increase in resource consumption, overwhelming the server. If the server does not limit the number of aliases, it may experience performance degradation, slower responses, or even fail, resulting in a denial-of-service (DoS) attack.

Remediation

Implement a limit on the maximum number of aliases allowed in GraphQL queries. Update the GraphQL server configuration to enforce reasonable thresholds for alias usage.

Need help?

Contact FireTail support

Previous (Findings - Action based findings)
Adversarial suffix vulnerability
Next (Findings - Action based findings)
ANSI vulnerability