SCA: security update for HotChocolate.Language (GHSA-qr3m-xw4c-jqw3)

critical Tenable Self-Hosted Container Security Plugin ID 440593

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14,
Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A crafted
GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger
a `StackOverflowException` on payloads as small as 40 KB. Because `StackOverflowException` is uncatchable
in .NET (since .NET 2.0), the entire worker process is terminated immediately. All in-flight HTTP
requests, background `IHostedService` tasks, and open WebSocket subscriptions on that worker are dropped.
The orchestrator (Kubernetes, IIS, etc.) must restart the process. This occurs before any validation rules
run — `MaxExecutionDepth`, complexity analyzers, persisted query allow-lists, and custom
`IDocumentValidatorRule` implementations cannot intercept the crash because `Utf8GraphQLParser.Parse` is
invoked before validation. The `MaxAllowedFields=2048` limit does not help because the crashing payloads
contain very few fields. The fix in versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14 adds a
`MaxAllowedRecursionDepth` option to `ParserOptions` with a safe default, and enforces it across all
recursive parser methods (`ParseSelectionSet`, `ParseValueLiteral`, `ParseObject`, `ParseList`,
`ParseTypeReference`, etc.). When the limit is exceeded, a catchable `SyntaxException` is thrown instead
of overflowing the stack. There is no application-level workaround. `StackOverflowException` cannot be
caught in .NET. The only mitigation is to upgrade to a patched version. Operators can reduce (but not
eliminate) risk by limiting HTTP request body size at the reverse proxy or load balancer layer, though the
smallest crashing payload (40 KB) is well below most default body size limits and is highly compressible
(~few hundred bytes via gzip). (CVE-2026-40324)

Solution

Update the HotChocolate.Language library and its related packages to version 12.22.7 or later.

See Also

https://github.com/advisories/GHSA-qr3m-xw4c-jqw3

Plugin Details

Severity: Critical

ID: 440593

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 4/17/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.61

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C

CVSS Score Source: CVE-2026-40324

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/16/2026

Vulnerability Publication Date: 4/16/2026

Reference Information

CVE: CVE-2026-40324

cwe: CWE-674