CVE-2026-10802
Resource Exhaustion in KeystoneJS GraphQL API
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keystonejs | keystone | to 20260319 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10802 is a vulnerability in KeystoneJS's GraphQL API endpoint that allows attackers to send deeply nested or circular GraphQL queries. These queries can cause excessive resource consumption on the server, leading to performance degradation or denial of service (DoS). The issue arises because KeystoneJS did not enforce limits on query depth or complexity, allowing malicious users to exploit this by crafting queries that exhaust server resources.
The vulnerability specifically affects the code handling GraphQL queries in the library packages/core/src/lib/core/queries/output-field.ts. The attack can be launched remotely without user interaction.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform Denial of Service (DoS) attacks on your KeystoneJS server. By sending deeply nested or circular GraphQL queries, attackers can cause the server to consume excessive CPU and memory resources, leading to severe performance degradation or server unavailability.
For example, a depth-16 query on a small SQLite database caused the server to hang for 38 seconds, demonstrating how resource exhaustion can disrupt normal operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the GraphQL API endpoint accepting deeply nested or circular queries that cause excessive resource consumption and server hangs.
To detect this vulnerability on your system, you can monitor for unusually long response times or server hangs when processing GraphQL queries, especially those with deeply nested structures.
You can also analyze GraphQL query logs to identify queries with excessive depth or circular references.
While no specific commands are provided in the resources, you might use network monitoring tools or log analysis commands such as:
- Use grep or similar tools to search GraphQL query logs for deeply nested queries, e.g., `grep -E 'posts.*author.*posts' graphql-logs.log`
- Monitor server resource usage with commands like `top`, `htop`, or `vmstat` during GraphQL query processing to detect resource exhaustion.
- Use network traffic analysis tools like `tcpdump` or `wireshark` to capture and inspect GraphQL requests for suspiciously complex queries.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to implement a query depth limit on the Keystone GraphQL API to prevent deeply nested or circular queries from exhausting server resources.
According to the pull request addressing this issue, a default maximum query depth of 20 levels is introduced, which can be configured in the KeystoneConfig using the 'maxDepth' option.
This mitigation uses the 'graphql-depth-limit' package integrated as a validation rule in Apollo Server, enforcing the depth limit before any user-defined rules.
Until the fix is accepted and deployed, consider monitoring and restricting GraphQL query complexity manually, and apply rate limiting or authentication to reduce exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.