GraphQL-Ruby, Token Counting Bypass, CVE-N/A (Moderate)

By /

Listen to this Post

The vulnerability exists in the GraphQL-Ruby library’s `max_query_string_tokens` configuration, which is designed to limit the number of tokens (including keywords, identifiers, punctuation, and comments) in a query. Prior to the fix, the Ruby lexer incorrectly excluded comment tokens from the token count. Since comment tokens were not counted, an attacker could craft a query that exceeds the configured limit by inserting many comment tokens (e.g., comment). Because the limit is only enforced after parsing, the lexer would process the entire query, including the excessive comments, before the token limit was checked. This allowed strings to be processed even after the token limit had been reached. The issue was introduced in version 2.3.1 when `max_query_string_tokens` was added. The fix modifies the Ruby lexer to count comment tokens toward the limit. The GraphQL-CParser is unaffected.

DailyCVE Form

Platform: GraphQL-Ruby
Version: 2.3.1-2.6.0
Vulnerability: Token limit bypass
Severity: Moderate
Date: Apr 27, 2026

Prediction: April 27, 2026

What Undercode Say

Simulate a query that uses comment tokens to bypass the token limit
echo 'query { __typename comment
another comment
yet another comment
and more comments
...
field }' | graphql-ruby-lexer --max-tokens=10

Exploit

Craft a query that prepends or intersperses many comment lines (e.g., a) before the actual query content. The lexer will ignore the comment tokens, allowing the query to parse even when the effective token count (excluding comments) is below the limit.

Protection

Upgrade to a patched version (2.3.23, 2.4.18, 2.5.26, or 2.6.1). Alternatively, use the GraphQL-CParser lexer, which is unaffected, or set a very low `max_query_string_tokens` value to offset the bypass (not recommended).

Impact

An attacker can execute arbitrarily large queries, potentially leading to denial-of-service (CPU/memory exhaustion) or bypassing query‑size controls, increasing the attack surface for other injection vectors.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top