Zombie objects are objects that are not accessible from any query, mutation,or subscription, but are still declared in your GraphQL schema. Most of the time, zombie objects reveal legacy or unused part of your codebase. Because they are not maintained nor patched, they are a privileged vector of attack and represent a severe security risk for your application.
Remove zombie objects from your GraphQL schema and associated code if they are indeed useless in your codebase, otherwise make them accessible from at least one query, mutation or subscription.
Ignoring this check
- Escape Severity: LOW
- OWASP: A09:2023
- PCI DSS: 6.3.2
- WASC: 15
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- CVSS_SCORE: 5.3