Allocation of Resources Without Limits or Throttling Affecting @escape.tech/graphql-armor package, versions <3.1.5

Q: How to fix?

Upgrade @escape.tech/graphql-armor to version 3.1.5 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-JS-ESCAPETECHGRAPHQLARMOR-10043599
published7 May 2025
disclosed25 Apr 2025
creditMohamed Mongi

Report a new vulnerability Found a mistake?

Introduced: 25 Apr 2025

CWE-770 (opens in a new tab)

How to fix?

Upgrade @escape.tech/graphql-armor to version 3.1.5 or higher.

Overview

@escape.tech/graphql-armor is a Dead-simple, yet highly customizable security middleware for Apollo GraphQL servers shield

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the computeComplexity function due to an insufficient check within the ignoreIntrospection option, which is enabled by default. This allows an attacker to bypass a cost restriction by naming a query or a fragment using __schema

Workaround

Users who are enabled to upgrade to the fixed version are advised to set the ignoreIntrospection option to false.

PoC

query  {
  ...__schema
}

fragment __schema on Query {
  books {
    title
    author
  }
}

query __schema {
  books {
    title
    author
  }
}

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None