Findings

Introspection-based Circular Query

Updated: June 19, 2025

findings action based findings api finding

Description

Severity: High

The GraphQL endpoint permits circular queries through introspection.

This allows users to recursively query the schema in a way that can cause excessive processing and resource consumption. This behavior increases the risk of denial-of-service (DoS) attacks by exploiting the server's ability to process introspective and recursive requests indefinitely.

Example Attack

An attacker sends an introspection query designed to recursively navigate through the GraphQL schema, causing the server to process an ever-growing set of requests. This creates a loop of excessive processing, potentially exhausting server resources and leading to a denial-of-service (DoS) attack. The attacker could exploit the introspection feature to continuously query relationships between types, causing the server to become overwhelmed and slow down.

Remediation

Update the GraphQL API to prevent circular queries enabled by introspection. Implement query depth and complexity limitations and consider disabling introspection in production environments where it is not needed.

Need help?

Contact FireTail support

Previous (Findings - Action based findings)
Introspection is enabled
Next (Findings - Action based findings)
JSON deserialization error