EXECUTIVE SUMMARY:
CVE-2026-40324 with a CVSS score of 9.1 is a critical vulnerability in the ChilliCream GraphQL Platform affecting the HotChocolate.Language package across multiple versions. The vulnerability, specifically a stack overflow via deeply nested GraphQL documents, can be exploited by a crafted GraphQL document with deeply nested selection sets, object values, list values, or list types, triggering a StackOverflowException on payloads as small as 40 KB. An attacker can exploit this vulnerability by sending a malicious GraphQL query, requiring only network access to the affected system. Successful exploitation grants an attacker the capability to crash the worker process, causing all in-flight HTTP requests, background tasks, and open WebSocket subscriptions to be dropped, resulting in business impact and consequences such as service downtime, lost productivity, and potential financial losses. Prerequisites for exploitation include the ability to send a malicious GraphQL query to the affected system, which may be mitigated by limiting HTTP request body size at the reverse proxy or load balancer layer, though this is not a foolproof solution.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-40324 with a CVSS score of 9.1 is a critical vulnerability in the ChilliCream GraphQL Platform affecting the HotChocolate.Language package across multiple versions. The vulnerability, specifically a stack overflow via deeply nested GraphQL documents, can be exploited by a crafted GraphQL document with deeply nested selection sets, object values, list values, or list types, triggering a StackOverflowException on payloads as small as 40 KB. An attacker can exploit this vulnerability by sending a malicious GraphQL query, requiring only network access to the affected system. Successful exploitation grants an attacker the capability to crash the worker process, causing all in-flight HTTP requests, background tasks, and open WebSocket subscriptions to be dropped, resulting in business impact and consequences such as service downtime, lost productivity, and potential financial losses. Prerequisites for exploitation include the ability to send a malicious GraphQL query to the affected system, which may be mitigated by limiting HTTP request body size at the reverse proxy or load balancer layer, though this is not a foolproof solution.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update nuget/HotChocolate.Language to version 12.22.7, 13.9.16, 14.3.1, or 15.1.14.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-qr3m-xw4c-jqw3