Critical Hot Chocolate GraphQL Server DoS Vulnerability
The National Vulnerability Database has disclosed CVE-2026-40324, a critical denial-of-service vulnerability affecting Hot Chocolate, an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, the Utf8GraphQLParser lacks a recursion depth limit. This flaw allows an attacker to craft a deeply nested GraphQL document, triggering an uncatchable StackOverflowException in .NET with payloads as small as 40 KB.
This isn’t just a restart; it’s a full process termination. All active HTTP requests, background tasks, and WebSocket subscriptions on the affected worker are immediately dropped. Crucially, this crash occurs before any validation rules, like MaxExecutionDepth or complexity analyzers, can interdict the malicious payload. The MaxAllowedFields limit also offers no protection, as the crashing payloads contain very few fields. This is a fundamental parser flaw, not a logic bypass.
There is no application-level workaround due to the uncatchable nature of StackOverflowException in .NET. The only viable mitigation is a direct upgrade to a patched version. While limiting HTTP request body size at the reverse proxy can reduce risk, the small payload size (40 KB, highly compressible) means most default limits won’t stop this. Defenders need to prioritize patching.
What This Means For You
- If your organization uses Hot Chocolate GraphQL server, you are exposed to a critical denial-of-service attack that bypasses typical validation and cannot be mitigated at the application layer. Immediately identify all Hot Chocolate instances and upgrade to versions 12.22.7, 13.9.16, 14.3.1, or 15.1.14 or later. There is no other fix.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40324 - Hot Chocolate GraphQL Server Stack Overflow DoS
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40324 | DoS | Hot Chocolate GraphQL server versions < 12.22.7, < 13.9.16, < 14.3.1, < 15.1.14 |
| CVE-2026-40324 | DoS | Vulnerable component: Utf8GraphQLParser in Hot Chocolate |
| CVE-2026-40324 | DoS | Attack vector: Crafted GraphQL document with deeply nested selection sets, object values, list values, or list types |
| CVE-2026-40324 | DoS | Vulnerable function: Utf8GraphQLParser.Parse (and recursive methods like ParseSelectionSet, ParseValueLiteral, ParseObject, ParseList, ParseTypeReference) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 18, 2026 at 03:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-40490 — Open Redirect
CVE-2026-40490 — The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)),...
Postiz AI Tool Vulnerability Allows Account Takeover via XSS
CVE-2026-40487 — Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload...
Emissary Workflow Engine Vulnerable to OS Command Injection
CVE-2026-35582 — Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates...