GHSA-hmfr-rx46-4jx2: 
JavaScript vulnerability analysis and mitigation

A vulnerability was discovered in GraphQL Armor's max-depth plugin (npm package @escape.tech/graphql-armor-max-depth) affecting versions <= 2.4.1, where query depth restrictions could be bypassed when ignoreIntrospection is enabled (default configuration) by naming a query or fragment __schema. The vulnerability was disclosed and patched in version 2.4.2 (GitHub Advisory).

The vulnerability exists in the countDepth function where the check for ignoreIntrospection option was not properly validating node types. The function was accepting any node type (FieldNode, FragmentDefinitionNode, InlineFragmentNode, OperationDefinitionNode, or FragmentSpreadNode) with a name value of '__schema', instead of specifically checking for FieldNode type. This oversight allowed depth limit bypasses through fragment definitions. The issue has been assigned a CVSS score of 5.3 (Moderate) with vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

This vulnerability affects applications using the GraphQL Armor Depth Limit plugin with ignoreIntrospection enabled, potentially allowing attackers to bypass query depth restrictions and perform resource exhaustion attacks. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) (GitHub Advisory).

The vulnerability has been fixed in version 2.4.2 of @escape.tech/graphql-armor-max-depth. The fix involves explicitly checking for FieldNode type in addition to the __schema name check. Users should upgrade to version 2.4.2 or later to receive the security fix (GitHub PR).