Recursive Descent Parser Vulnerability in Hot Chocolate GraphQL Server
CVE-2026-40324

9.1CRITICAL

Key Information:

Vendor

Chillicream

Status
Graphql-platform
Vendor
CVE Published:
17 April 2026

What is CVE-2026-40324?

The Hot Chocolate GraphQL server contains a vulnerability in its recursive descent parser, which allows crafted GraphQL documents to trigger a StackOverflowException due to a lack of recursion depth limits. This vulnerability can lead to the termination of the entire worker process, dropping all in-flight HTTP requests and background tasks. The issue occurs when deeply nested selection sets or object values are parsed, resulting in an immediate crash of the process under .NET. While certain limits exist, such as MaxAllowedFields, they do not prevent the crash due to the minimal field count in the payloads. The fixed versions introduce a MaxAllowedRecursionDepth parameter, ensuring safe parsing and throwing a catchable SyntaxException when limits are exceeded. Users are urged to upgrade to the latest patched versions to mitigate this issue.

Affected Version(s)

graphql-platform < 12.22.7 < 12.22.7

graphql-platform >= 13.0.0, < 13.9.16 < 13.0.0, 13.9.16

graphql-platform >= 14.0.0, < 14.3.1 < 14.0.0, 14.3.1

References

https://github.com/ChilliCream/graphql-platform/security/...
x_refsource_CONFIRM
https://github.com/ChilliCream/graphql-platform/pull/9528
x_refsource_MISC
https://github.com/ChilliCream/graphql-platform/pull/9530
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.