CVE-2026-40324

Hot Chocolate · Hot Chocolate GraphQL Server

Hot Chocolate's parser lacks recursion depth limits, allowing specially crafted GraphQL payloads to trigger a fatal StackOverflowException and crash the host process.

Executive summary

A critical denial-of-service vulnerability in the Hot Chocolate GraphQL server allows unauthenticated attackers to crash host processes via small, deeply nested payloads.

Vulnerability

The Utf8GraphQLParser performs no recursion depth validation, allowing an unauthenticated attacker to send crafted GraphQL documents that trigger an uncatchable StackOverflowException in .NET, effectively terminating the worker process.

Business impact

This vulnerability allows for easy and repeatable denial-of-service (DoS) attacks against the GraphQL infrastructure. With a CVSS score of 9.1, the impact is significant, as it can cause widespread service outages, drop in-flight background tasks, and force frequent process restarts, severely disrupting application availability.

Remediation

Immediate Action: Upgrade the Hot Chocolate package to version 12.22.7, 13.9.16, 14.3.1, or 15.1.14 as appropriate for your environment.

Proactive Monitoring: Monitor server logs for unexpected process terminations and investigate high frequencies of StackOverflowException errors.

Compensating Controls: While application-level workarounds are ineffective, administrators may attempt to limit request body sizes at the reverse proxy level, though this provides only limited protection against highly compressed payloads.

Exploitation status

Public Exploit Available: Not specified.

Analyst recommendation

Given the ease of triggering this crash and the lack of catchable exceptions in the affected code, immediate patching is required. Organizations relying on Hot Chocolate must transition to the updated versions to introduce necessary recursion depth limits and prevent service instability.