Zombie object

Description

Zombie objects are objects that are not accessible from any query, mutation,or subscription, but are still declared in your GraphQL schema. Most of the time, zombie objects reveal legacy or unused part of your codebase. Because they are not maintained nor patched, they are a privileged vector of attack and represent a severe security risk for your application.

Remediation

Remove zombie objects from your schema and associated code if they are indeed useless in your codebase, otherwise make them accessible from at least one query, mutation or subscription.

Configuration

Identifier: schema/zombie_object

Examples

Ignore this check

{
    "checks": {
        "schema/zombie_object": {
            "skip": true
        }
    }
}

Score

Escape Severity: LOW
- OWASP: API9:2023
- PCI DSS: 6.5.7
- CWE
  - 561
  - 1006
  - 1164
- WASC: WASC-15

CVSS

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS_SCORE: 5.3

References

https://cwe.mitre.org/data/definitions/561.html

Zombie object

Description​

Remediation​

Configuration​

Examples​

Ignore this check​

Score​

CVSS​

References​