Skip to main content

Zombie object


Zombie objects are objects that are not accessible from any query, mutation,or subscription, but are still declared in your GraphQL schema. Most of the time, zombie objects reveal legacy or unused part of your codebase. Because they are not maintained nor patched, they are a privileged vector of attack and represent a severe security risk for your application.


Remove zombie objects from your schema and associated code if they are indeed useless in your codebase, otherwise make them accessible from at least one query, mutation or subscription.

GraphQL Specific


To address the 'Zombie object' issue within the Apollo framework engine, ensure that all references to objects are properly managed. Implement strong ownership and reference counting practices. Utilize the provided memory management tools and debugging facilities to track down and eliminate any retain cycles or orphaned objects that could lead to 'Zombie object' instances. Regularly review and test your code to prevent memory leaks and unintended object retention.


To address the 'Zombie object' issue within the Yoga framework engine, ensure that all objects are properly deallocated and references are cleared when they are no longer needed. Implement proper memory management practices, such as utilizing ARC (Automatic Reference Counting) effectively, and make sure to nullify any strong references to objects that should be released. Additionally, consider using weak references for delegates and other objects that may lead to retain cycles. Regularly profile your application with memory debugging tools to detect and fix any potential zombie objects.


To prevent 'Zombie object' issues within the AWS AppSync framework, ensure that all data sources and resolvers are properly managed and disposed of after use. Implement clean-up logic in your resolvers to delete or dereference objects that are no longer needed to avoid memory leaks. Regularly monitor and audit your GraphQL API with AWS CloudWatch to detect and address any anomalies that may indicate lingering objects. Additionally, consider using AWS Lambda functions with automatic scaling to manage resource utilization effectively.


To mitigate the risk of zombie objects in a GraphQL Go framework engine, ensure proper cleanup of resources and implement a garbage collection strategy. Utilize context cancellation to stop in-flight requests and release associated objects. Regularly review and update your code to manage object lifecycles effectively, preventing memory leaks and potential performance issues.


In the GraphQL Ruby framework, to prevent the creation of zombie objects, ensure that you properly dispose of objects that are no longer needed. Implement a cleanup strategy within your resolvers and mutations to release resources and avoid memory leaks. Additionally, consider using the lazy_resolve method to defer the execution of expensive operations until they are actually needed, which can help in managing resource allocation more efficiently.


To prevent the occurrence of zombie objects in the Hasura framework engine, ensure that all subscriptions and live queries are properly terminated when no longer needed. Implement cleanup logic to release resources and unsubscribe from events when components are unmounted or when user sessions end. Regularly monitor the active subscriptions and enforce limits if necessary to avoid resource leaks that can lead to zombie objects.


Identifier: schema/zombie_object


Ignore this check

skip: true


  • Escape Severity: LOW


  • OWASP: API9:2023
  • pci: 6.5.4
  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-95
  • iso27001: A.18.1
  • nist: SP800-53
  • fedramp: AC-4



  • CVSS_SCORE: 5.3