CVE-2026-40324 Overview
CVE-2026-40324 is a critical Denial of Service vulnerability affecting Hot Chocolate, an open-source GraphQL server for .NET. The vulnerability exists in the Utf8GraphQLParser recursive descent parser, which lacks a recursion depth limit. Attackers can exploit this by sending crafted GraphQL documents with deeply nested selection sets, object values, list values, or list types to trigger an uncatchable StackOverflowException, immediately terminating the worker process.
Critical Impact
A malicious GraphQL payload as small as 40 KB can crash the entire .NET worker process. Since StackOverflowException is uncatchable in .NET, all in-flight HTTP requests, background services, and WebSocket subscriptions are dropped instantly, requiring orchestrator restart.
Affected Products
- Hot Chocolate GraphQL Server versions prior to 12.22.7
- Hot Chocolate GraphQL Server versions prior to 13.9.16
- Hot Chocolate GraphQL Server versions prior to 14.3.1
- Hot Chocolate GraphQL Server versions prior to 15.1.14
Discovery Timeline
- 2026-04-18 - CVE-2026-40324 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40324
Vulnerability Analysis
This vulnerability is classified as CWE-674 (Uncontrolled Recursion). The Hot Chocolate GraphQL parser uses a recursive descent parsing strategy through the Utf8GraphQLParser class to process incoming GraphQL documents. The fundamental flaw is that recursive methods such as ParseSelectionSet, ParseValueLiteral, ParseObject, ParseList, and ParseTypeReference have no depth limit enforcement. When processing deeply nested structures, each recursive call consumes stack space until the stack is exhausted.
The attack is particularly severe because it occurs at the parsing phase—before any validation rules execute. This means protective measures like MaxExecutionDepth, complexity analyzers, persisted query allow-lists, and custom IDocumentValidatorRule implementations are completely bypassed. The existing MaxAllowedFields=2048 limit provides no protection since crashing payloads contain very few fields but deep nesting.
Root Cause
The root cause is the absence of recursion depth tracking and enforcement in the Utf8GraphQLParser class. The parser's recursive methods process nested GraphQL structures without maintaining or checking a depth counter, allowing unbounded recursion that exhausts the call stack. Since .NET's StackOverflowException has been uncatchable since .NET 2.0, the process terminates without any opportunity for graceful error handling.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends a specially crafted GraphQL query containing deeply nested structures (selection sets, objects, lists, or type references) to any exposed GraphQL endpoint. The payload can be as small as 40 KB and is highly compressible—potentially only a few hundred bytes when gzip-compressed—making it trivial to deliver through standard HTTP channels. Most reverse proxy and load balancer default body size limits are well above this threshold, providing no effective protection.
// Security patch in RequestParserOptions.cs - Add depth limit to GraphQL parser (#9531)
/// as fields is an easier way to estimate query size for GraphQL requests.
/// </summary>
public int MaxAllowedFields { get; set; } = 2048;
+ /// <summary>
+ /// The maximum number of directives allowed per location (e.g. per field,
+ /// per operation, per fragment definition). Repeatable directives can be used
+ /// to exhaust CPU and memory resources if not limited.
+ /// </summary>
+ public int MaxAllowedDirectives { get; set; } = 4;
+
+ /// <summary>
+ /// The maximum allowed recursion depth when parsing a document.
+ /// This prevents stack overflow from deeply nested queries.
+ /// </summary>
+ public int MaxAllowedRecursionDepth { get; set; } = 200;
}
Source: ChilliCream Commit 08c0caa
Detection Methods for CVE-2026-40324
Indicators of Compromise
- Unexpected worker process crashes or restarts in Kubernetes, IIS, or other orchestrators
- Log entries indicating StackOverflowException in Hot Chocolate or GraphQL-related components
- Abnormal pattern of GraphQL requests with unusually deep nesting structures
- Compressed HTTP payloads to GraphQL endpoints that decompress to deeply nested documents
- Sudden termination of WebSocket subscriptions and background IHostedService tasks
Detection Strategies
- Monitor GraphQL endpoint logs for requests containing repetitive nesting patterns in selection sets or list types
- Implement request body inspection at WAF or reverse proxy layer to detect deeply nested JSON/GraphQL structures
- Track process restart frequency and correlate with incoming GraphQL traffic patterns
- Deploy anomaly detection for GraphQL query complexity metrics before they reach the parser
Monitoring Recommendations
- Configure alerting on worker process restart events in Kubernetes or IIS environments
- Enable detailed logging for GraphQL request parsing failures and crashes
- Monitor for unusual patterns in request body sizes and compression ratios
- Implement real-time tracking of GraphQL endpoint availability and response times
How to Mitigate CVE-2026-40324
Immediate Actions Required
- Upgrade Hot Chocolate to patched versions: 12.22.7, 13.9.16, 14.3.1, or 15.1.14 immediately
- Review GraphQL endpoint exposure and consider temporarily restricting access if upgrade is delayed
- Implement request body size limits at reverse proxy layer as a partial risk reduction measure
- Monitor for process crashes and restart events while remediation is in progress
Patch Information
The fix introduces a new MaxAllowedRecursionDepth option to ParserOptions with a safe default value of 200. This limit is enforced across all recursive parser methods including ParseSelectionSet, ParseValueLiteral, ParseObject, ParseList, and ParseTypeReference. When the limit is exceeded, a catchable SyntaxException is thrown instead of overflowing the stack. The patch also adds MaxAllowedDirectives (default: 4) to prevent resource exhaustion via repeatable directives.
Patched releases are available:
For full details, see the ChilliCream Security Advisory GHSA-qr3m-xw4c-jqw3.
Workarounds
- No application-level workaround exists—StackOverflowException cannot be caught in .NET
- Reducing HTTP request body size at reverse proxy or load balancer provides partial risk reduction, but smallest crashing payload (40 KB) is below most default limits
- Consider blocking GraphQL endpoints from untrusted sources until patching is complete
- Upgrading to a patched version is the only complete mitigation
// After upgrading, configure parser options with custom limits if needed
services.AddGraphQLServer()
.ModifyParserOptions(options =>
{
options.MaxAllowedRecursionDepth = 200; // Default safe value
options.MaxAllowedDirectives = 4; // Prevents directive exhaustion
options.MaxAllowedFields = 2048; // Existing field limit
});
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
