Hot Chocolate GraphQL server crash via stack overflow (CVE-2026-40324)

Overview

A critical vulnerability in the Hot Chocolate GraphQL server allows an unauthenticated attacker to crash the entire application process with a relatively small, malicious query. The flaw is in the parser, which lacks a recursion depth limit, leading to an unrecoverable StackOverflowException. This causes immediate termination of the worker process.

Vulnerability Details

Identified as CVE-2026-40324 with a CVSS score of 9.1, this vulnerability affects Hot Chocolate versions prior to 12.22.7, 13.9.16, 14.3.1, and 15.1.14. The server’s Utf8GraphQLParser does not limit recursion when parsing deeply nested structures in a GraphQL document. A payload as small as 40 KB can trigger the crash.

The crash is severe because a StackOverflowException in .NET cannot be caught. It terminates the process instantly, dropping all in-flight HTTP requests, background tasks, and active WebSocket subscriptions. The process must then be restarted by its orchestrator, like Kubernetes or IIS. Crucially, this parser crash occurs before any GraphQL validation rules-including MaxExecutionDepth or custom security analyzers-can run, making existing application-level protections ineffective.

Impact

The primary impact is a persistent denial-of-service (DoS) condition. An attacker can repeatedly send a crafted query to crash application instances, leading to service disruption and instability. This can be done without authentication and with minimal network bandwidth, as the payload is small and compressible.

Remediation and Mitigation

The only complete remediation is to upgrade Hot Chocolate to a patched version: 12.22.7, 13.9.16, 14.3.1, or 15.1.14. These versions introduce a MaxAllowedRecursionDepth option in ParserOptions with a safe default, replacing the fatal stack overflow with a catchable SyntaxException.

There is no effective application-level workaround, as the crash is unrecoverable. As a partial mitigation, operators can configure reverse proxies or load balancers to limit HTTP request body sizes. However, this is not a reliable defense, as the smallest crashing payload is only 40 KB-well below typical default limits-and can be compressed to a few hundred bytes.

For more information on recent threats, visit our security news section.

Security Insight

This vulnerability highlights the critical importance of implementing recursion limits in parsers, a classic software security principle. It mirrors past incidents in other interpreters and compilers where unbounded recursion led to crashes. The fact that the crash bypasses all GraphQL validation layers underscores a common architectural flaw: placing security checks after a component that can itself be destabilized by malicious input.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs