GraphQL Armor Cost-Limit Plugin Bypass via Introspection Query Obfuscation

Summary

A query cost restriction using the cost-limit can be bypassed if ignoreIntrospection is enabled (which is the default configuration) by naming your query/fragment __schema.

Details

At the start of the computeComplexity function, we have the following check for ignoreIntrospection option:

    if (this.config.ignoreIntrospection &amp;&amp; &#039;name&#039; in node &amp;&amp; node.name?.value === &#039;__schema&#039;) {
      return 0;
    }

However, the node can be FieldNode | FragmentDefinitionNode | InlineFragmentNode | OperationDefinitionNode | FragmentSpreadNode

So, for example, sending the following query

query hello {
  books {
    title
  }
}

would create an OperationDefinitionNode with node.name.value == 'hello'

The proper way to handle this would be to check for the __schema field, which would create a FieldNode.

The fix is

    if (
      this.config.ignoreIntrospection &amp;&amp;
      &#039;name&#039; in node &amp;&amp;
      node.name?.value === &#039;__schema&#039; &amp;&amp;
      node.kind === Kind.FIELD
    ) {
      return 0;
    }

to assert that the node must be a FieldNode

PoC

query  {
  ...__schema
}

fragment __schema on Query {
  books {
    title
    author
  }
}

query __schema {
  books {
    title
    author
  }
}

Impact

Applications using GraphQL Armor Cost Limit plugin with ignoreIntrospection enabled.

Fix:

Fixed on 772. A quick patch would be to set ignoreIntrospection to false.

Published: Apr 25, 2025
Updated: Apr 30, 2025
GHSA: GHSA-733v-p3h5-qpq7
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWEs:

Affected Software
References

Software	From	Fixed in
@escape.tech / graphql-armor-cost-limit	-	2.4.2

Vulnerability Database

309,540

GraphQL Armor Cost-Limit Plugin Bypass via Introspection Query Obfuscation

Summary

Details

PoC

Impact

Fix:

Deep Security Visibility Without the Complexity