Skip to main content

Circular introspection


A circular introspection has been performed on the system. This can be exploited to conduct a Denial of Service attack.

The GraphQL introspection is done recursively on your schema. By calling several objects that reference each other, an attacker can create a circular reference.

__schema {
types {
fields {
type {
fields {
type ... and so on infinitely

Creating a circular reference will increase the size of the returned document exponentially. The larger your schema is, the bigger the document will be.

This DOS attack is hard to exploit as the size of the query might be limited by a server before reaching your backend.


To prevent circular introspection from being abused:

  • Limit the maximum depth of the introspection query.
  • Limit the maximum elapsed time to execute a GraphQL query.
  • Disable your introspection.


Identifier: resource_limitation/graphql_circular_introspection


Ignore this check

"checks": {
"resource_limitation/graphql_circular_introspection": {
"skip": true


  • Escape Severity: INFO
    • OWASP: API8:2023
    • PCI DSS: 6.5.8
    • CWE
      • 400
      • 674
      • 770
    • WASC: WASC-10


  • CVSS_SCORE: 4.4